In the world of digital forensics and incident response, we often track the "arms race" between security researchers and threat actors. Recent investigations by the Foregenix team into compromised PrestaShop environments have identified a sophisticated evolution in this struggle. What was once a broad, "spray-and-pray" approach to browser-based payment skimming, has transitioned into a highly surgical, device-aware campaign that specifically targets the mobile user experience.
This shift is not accidental. It represents a calculated effort by attackers to maximise their "dwell time" - the duration an infection remains active before being discovered - by exploiting the inherent differences between desktop auditing and mobile browsing.
Understanding the PrestaShop Threat Landscape
PrestaShop remains a cornerstone of global e-commerce, making it a perennial target for Magecart-style skimming operations. Traditionally, these attacks involve injecting malicious JavaScript into theme files or core modules to intercept cardholder data during the checkout process. In many of the cases we investigate, the attackers achieve this by silently replacing legitimate payment forms with convincing overlays, or by introducing a duplicate payment step that harvests card details before passing the victim back to the genuine gateway.
However, the most dangerous characteristic of modern skimming malware is its ability to "hide in plain sight." For years, we have seen scripts that include logic to detect administrative sessions or known security scanning IP addresses, effectively "switching off" the malware when a developer or researcher is looking. The latest trend we are observing is an extension of this stealth: conditional execution based on hardware characteristics.
The Technical Pivot: Device-Aware Payloads
Recent variants of PrestaShop malware witnessed by Foregenix are designed to be contextually aware. Instead of executing for every visitor, the malicious code now interrogates the visitor’s device characteristics before deploying its payload. Specifically, the scripts look for indicators of a mobile device, such as:
- Screen width thresholds (targeting smaller devices)
- Detection of CSS pointer type = coarse (a strong indicator of touch-based/mobile devices)
In practical terms, this means that a user visiting the site on a standard desktop workstation will see a perfectly clean checkout flow. The malicious script remains dormant, refusing to trigger its skimming logic because the environment does not match the attacker’s specific criteria. Only when a genuine customer visits the website via a mobile device does the malware "arm" itself, presenting the fraudulent form and capturing the cardholder data.
Mobile is the New Strategic Priority
There are several reasons why attackers are pivoting toward mobile targeting. First and foremost is the evasion of professional analysis. Security teams and automated vulnerability scanners frequently utilise desktop-based headless browsers or standard desktop user agents. By limiting execution to mobile devices, threat actors can bypass these initial layers of detection, allowing the infection to persist for months without being flagged by standard monitoring tools.
Furthermore, the surge in mobile commerce (m-commerce) provides a target-rich environment. With a significant and growing percentage of global online transactions occurring on mobile devices, attackers can still maintain high volumes of stolen cardholder data even while ignoring desktop users entirely.
Mobile users are often less likely to scrutinise subtle UI inconsistencies. On a smaller screen, a slightly misaligned logo or an extra step in the checkout process is easier to dismiss as a responsive design quirk rather than a sign of a compromise. This reduced user scrutiny, combined with the difficulty of inspecting network traffic on a mobile device, creates the perfect environment for a stealthy skimmer to operate.
Modern Implications for Store Owners and Defenders
This evolution proves that traditional security testing is no longer sufficient. If your security assessment relies solely on desktop-based "spot checks" or automated crawlers that do not simulate a variety of hardware environments, you are likely missing a significant portion of the threat landscape.
The new baseline for e-commerce security is understanding not just that code has changed, but under what conditions that code executes. A site may appear clean under standard inspection, while still delivering malicious payloads to half of its customer base. To identify these sophisticated techniques, a more cohesive defense is beneficial, leveraging signature-based tools, File Integrity Monitoring (FIM), and comprehensive manual inspection.
Conclusion
The shift to mobile-targeted delivery in PrestaShop skimming campaigns proves attackers are strategically exploiting gaps in traditional detection capabilities. As broad-spectrum malware detection improves, attackers are refining their logic, narrowly focusing their execution to specifically evade standard security tools.
At Foregenix, we emphasise that clear visibility is essential for defense. Against context-aware malware, your monitoring strategy must be adaptive enough to uncover these nuanced threats.
If you suspect your checkout page has been compromised by skimming malware, every minute counts to protect your customers' data. At Foregenix, we specialise in rapid breach response. By combining our intelligent automated scanning with decades of hands-on forensic experience in eCommerce and payment fraud, we do not just find the entry point - we help you seal it. Reach out to our team today for a comprehensive assessment and restore your site's integrity.
