ABS-CBN next in series of high profile breaches
by Sansec Forensics Team
Published in Threat Research − September 18, 2018
ABS-CBN headquarters
While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. We found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.
ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).
Filipinos are recommended to carefully check their credit card statements for unauthorized payments.
We have notified ABS-CBN of the breach, but have not received a response.
Technical details
Sansec discovered the fraud campaign with newly released malware detection heuristics. The (obfuscated) malware is located at store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.
$ curl -v https://store.abs-cbn.com/js/lib/ccard.js
< Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT
The malware sends its stolen data to a payment collection server called adaptivecss.org.
This server is on the same Russian network as coffemokko.com, a different malware campaign that we discovered earlier this week:
Just discovered the curiously named "Coffe&Tea" malware campaign. CC servers at https://t.co/pS6O7mXCbm, https://t.co/7i8JqZcNXf, https://t.co/yCiImbSyfY. They have open dirs so you can list the fake payment popups per victim. Do you recognize any of them? pic.twitter.com/TFIr4qrHjm
— Willem de Groot (@gwillem) September 13, 2018
Read more
In this article
Realtime store protection?
Try Sansec Shield! No more stressing to install patches on a Friday afternoon. The most advanced WAF for Magento stores gives you peace of mind.
Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
