While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. I found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.
ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).
Filipinos are recommended to carefully check their credit card statements for unauthorized payments.
I have notified ABS-CBN of the breach, but have not received a response.
I discovered the fraud campaign when I implemented new heuristics for my malware detection system this week. The (obfuscated) malware is located at
store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.
$ curl -v https://store.abs-cbn.com/js/lib/ccard.js < Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT
The malware sends its stolen data to a payment collection server called
This server is on the same Russian network as
coffemokko.com, a different malware campaign that I found earlier this week:
Just discovered the curiously named "Coffe&Tea" malware campaign. CC servers at https://t.co/pS6O7mXCbm, https://t.co/7i8JqZcNXf, https://t.co/yCiImbSyfY. They have open dirs so you can list the fake payment popups per victim. Do you recognize any of them? pic.twitter.com/TFIr4qrHjm— Willem de Groot (@gwillem) September 13, 2018