'

Broadcaster ABS-CBN customer data stolen, sent to Russian servers

Updated: The data theft is the work of Magecart, a group connected to attacks against British Airways and Ticketmaster.

Customers of ABS-CBN may be facing the possibility of the theft of their financial data due to a payment skimmer which has been discovered in the major Filipino broadcaster's online store.

According to Dutch security researcher Willem "gwillem" de Groot, the payment skimmer has been active since August this year.

ABS-CBN is a media conglomerate based in Quezon City, Philippines. The entertainment company operates the largest TV and cable provider in the country, alongside a variety of television channels and music production outfits.

The payment skimmer is intercepting financial data and sending the stolen information to a server registered in Irkutsk, Russia.

The security expert said on Tuesday that the ABS-CBN security breach, reminiscent of the recent British Airways and Ticketmaster security incidents, has been made possible through malware which intercepts the checkout process.

CNET: UK retailer Superdrug warns 20,000 customers of possible data theft

In the broadcaster's case, the online store -- which Google Chrome warns is not secure at the time of writing -- contains obfuscated malware hidden within a JavaScript file.

The skimmer has not been modified or changed for a period of four weeks, which suggests that the malware has been in operation since August 16th.

According to the researcher, the malicious code scrapes the financial information of payment cards used by customers attempting to buy merchandise from the store.

Groot confirmed to ZDNet that the skimmer is still active.

screen-shot-2018-09-18-at-15-37-02.png

The ABS-CBN store front.

This information is then transferred to a payment collection server called adaptivecss.org. This domain is hosted on the same Russian network as coffeemokko.com, which has been connected to another malware campaign that Groot uncovered earlier this week.

TechRepublic: How you can get low-tech hacked

The latter malware scheme, dubbed "Coffe&Tea," is another criminal enterprise which appears to focus on financial data theft through the use of malicious .js files and fake payment popups.

Cofee&Tea's command and control (C2) servers are listed at coffetea.org, coffemokko.com, and energycoffe.org.

It is not known how many customers may have been involved in the ABS-CBN security breach. The security researcher has attempted to report his findings to the broadcaster but at the time of writing has received no response.

See also: PayPal, Square vulnerabilities impact mobile point-of-sale machines

Given the similarities between the ABS-CBN compromise, British Airways, and Ticketmaster, while attribution at this stage is difficult, it may be that Magecart is involved.

Magecart, a threat group which has been active since 2015, specializes in compromising online stores and obfuscating malicious code in JavaScript in order to steal payment card information entered into store checkout pages, as previously reported by ZDNet.

The cybercriminals have been linked not only to the recent British Airways data breach, but also the Ticketmaster security incident and shopping cart infiltration on thousands of Magento websites.

Update 17.30 BST: Speaking to ZDNet, senior threat intelligence analyst Yonathan Klijnsma from cybersecurity firm RiskIQ said that the attack is the work of Magecart.

RiskIQ has been tracking the group for some time and which appears to have been conducting a number of e-commerce attacks based on the use of malicious ccard.js scripts. Such attacks have been detected since July.

19.9.2018: The broadcaster said in a statement that the breach is being investigated. In total, ABS-CBN believes that 213 customers "may have been affected."

The ABS-CBN Store and UAAP Store websites have been temporarily closed while the investigation is underway.

"This data breach incident is isolated only to the ABS-CBN Store and the UAAP Store websites and does not affect other ABS-CBN digital properties," the company said. "We assure our customers that their privacy and the security of their personal data are important to us and we will take measures to prevent this incident from happening again."

Previous and related coverage