MANILA, Philippines (UPDATED) – The ABS-CBN online store (store.abs-cbn.com) has been hacked according to the report of Dutch security researcher Willem "gwillem" De Groot.
At 9:30 am, Wednesday, September 19, ABS-CBN took down store.abs-cbn.com and the UAAP store (uaapstore.com), following the report.
De Groot, in a post on his website dated Tuesday, September 18, said that a payment skimmer is running on the website, which steals personal and financial information including credit card details. The stolen data is then forwarded to a server in Russia, specifically in the city of Irkutsk located in eastern Siberia. De Groot says that "the credit cards and identities are then (presumably) sold on the black market."
"Personal information and credit cards are intercepted while people shop for [merchandise] for one of the 90+ television shows," De Groot says.
The researcher says that the malware intercepts the data during the checkout process, and doesn't state that the malware has an ability to scrape data from older transactions prior to being injected or from the site archive.
One crucial detail that may have contributed to the success of the reported intrusion is that store.abs-cbn.com had been running on Hyper Text Transfer Protocol (http) and not the more secure Hyper Text Transer Secure https protocol. Communications between a user browser and a website running on plain https are encyrpted; http communications are not. (READ: The difference between HTTP and HTTPS websites)
However, De Groot notes that the methodology used in the incident, which is similar to the recent Ticketmaster and British Airways breaches, can beat encrypted connections: "The methodology found at these crime scenes is the same: browser-based interception during the checkout process. This method is quickly gaining popularity because it defeats the security of encrypted connections (https/SSL)."
"Filipinos are recommended to carefully check their credit card statements for unauthorized payments," advises the researcher.
213 customers affected
ABS-CBN has issued a press statement on their news website, indicating how many were possibly affected:
"As of this time, there are 213 customers who may have been affected. However, the investigation is still ongoing.
This data breach incident is isolated only to the ABS-CBN Store and the UAAP Store websites and does not affect other ABS-CBN digital properties. We have informed the National Privacy Commission and will be working closely with them.
We have started reaching out to all our affected customers. We also advise our customers not to give out additional personal and financial information to anyone who may be claiming to be an ABS-CBN representative."
The National Privacy Commission (NPC) also says that they received the breach notification from ABS-CBN's Data Protection Officer Jay Gomez at 12:37 pm, around the same time when the company publicly disclosed the incident on Twitter.
The commission expects "ABS-CBN to send [the NPC] a full report on the incident within five days," says NPC commissioner Raymund Liboro in an emailed statement. – Rappler.com
Editor's note: An earlier version of the article suggested that only transactions after August 16, the date of the last modification of the malware, may have been affected. Transactions before August 16 may have been affected too as the researcher said that the malware may have been injected before the said date. We regret the errors and made the necessary corrections.