ABS-CBN next in series of high profile breaches


ABS-CBN main building

While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. I found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.

ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).

Filipinos are recommended to carefully check their credit card statements for unauthorized payments.

I have notified ABS-CBN of the breach, but have not received a response.

Technical details

I discovered the fraud campaign when I implemented new heuristics for my malware detection system this week. The (obfuscated) malware is located at store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.

$ curl -v https://store.abs-cbn.com/js/lib/ccard.js
< Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT

The malware sends its stolen data to a payment collection server called adaptivecss.org.

This server is on the same Russian network as coffemokko.com, a different malware campaign that I found earlier this week:

Yours truly: security consultant & researcher, tracking payment skimmers since 2015. I am also the founder of the opensource malware scanner and Magereport. If you could use an extra pair of eyes in your team to resolve a complicated security issue, do get in touch.