eComscan secures over 7,000 online stores
  • 30-day money back guarantee
  • Easy 5 minute install
  • Cancel any time
Get started in 5 minutes!
Secure your store today.
CLICK HERE

ABS-CBN next in series of high profile breaches

  • September 18, 2018

    Web Skimming / Sansec Threat Research
    Learn about new eCommerce hacks?

    Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.

  • What is
    Magecart?

    Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?

    About Magecart
ABS-CBN headquarters

ABS-CBN headquarters

While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. I found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet destination − to be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at least August 16th. Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onwards to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market.

ABS-CBN is the latest target in a series of high profile skimming operations. Previously, British Airways and Ticketmaster admitted massive credit card theft of their customers. The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL).

Filipinos are recommended to carefully check their credit card statements for unauthorized payments.

I have notified ABS-CBN of the breach, but have not received a response.

Technical details

I discovered the fraud campaign when I implemented new heuristics for my malware detection system this week. The (obfuscated) malware is located at store.abs-cbn.com/js/lib/ccard.js (archive.org). This specific file has not been modified since four weeks, suggesting the malware was injected on or before August 16th.

$ curl -v https://store.abs-cbn.com/js/lib/ccard.js
< Last-Modified: Thu, 16 Aug 2018 06:24:34 GMT

The malware sends its stolen data to a payment collection server called adaptivecss.org.

This server is on the same Russian network as coffemokko.com, a different malware campaign that I found earlier this week:

Hackers get smarter every day.
Outsmart them with eComscan.

eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.

Scan now