ABS-CBN next in series of high profile breaches

ABS-CBN headquarters

ABS-CBN headquarters

While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. I found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.

ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).

Filipinos are recommended to carefully check their credit card statements for unauthorized payments.

I have notified ABS-CBN of the breach, but have not received a response.

Technical details

I discovered the fraud campaign when I implemented new heuristics for my malware detection system this week. The (obfuscated) malware is located at store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.

$ curl -v https://store.abs-cbn.com/js/lib/ccard.js
< Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT

The malware sends its stolen data to a payment collection server called adaptivecss.org.

This server is on the same Russian network as coffemokko.com, a different malware campaign that I found earlier this week:

Stay ahead of eCommerce hacks,
protect your store today!

Sansec forensic experts were the first to document digital skimming in 2015. Since then, we have investigated thousands of hacked stores. Our research of the latest attack vectors protects our customers around the world. Our anti-skimming technology and data are used by merchants, forensic investigators, financial anti-fraud teams and service providers

Try our malware scanner