Equifax website hit by malvertising – will the pain never end?

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit

We suspect that you’ve heard the proverb, “It never rains but that it pours”.
It means that when bad stuff starts, you often get a whole lot of it hammering down on you – a literary way of suggesting that things are going to get worse before they get better.
People have been saying that proverb for 300 years or more, but it could have been written especially for Equifax, the way things are going.
First there was the breach, then the silly domain name, then the tweet that advertised a mis-spelling of the silly domain name, then the news that the breach was bigger than first thought, and then the news that the breach was bigger than first thought by more than was first thought.
How do you top that?
According to security blogger Randy Abrams, you top it by getting hit by malvertising.
That’s when a third-party company that you trusted to deliver content into your website (ads, perhaps, or some sort of tracking service)…
…screws up and delivers dodgy content that turns your site into a temporary but visible purveyor of tat.
Sophos Home
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
Free home computer security software for all the family
Learn More
Abrams published a short video showing him browsing to Equifax’s signup page to request a personal information check – as you might do after a breach.
(Abrams says he was signing up so he could check his data because he suspected there might be a mistake in it that he wanted to correct.)
He started here:
But then you see his browser quickly bouncing him through a sequence of third-party domains, ending up on a content delivery network called centerbluray, which promptly offered up a fake Flash Player Install that claimed it would update you to the latest version of Flash:
As Abrams drily quipped on his blog:
Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.
What happened?
According to Reuters, Equifax explained the blunder as follows:
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.
In a word, malvertising, which we defined above.
The page that Abrams was on when the SNAFU happened now redirects to an Equifax holding page that tells the story rather differently (and uses an unencrypted, unauthenticated HTTP page to present its upbeat message about better service, too):
So, there you have it – Equifax is “working diligently to better serve you.”
免费的也不全都是坏的,除了隐私保护的条款需要大家特别关注外,还要注意免费通常意味着厂商不承担使用责任,也无高质量的技术支持服务,企业客户可得慎重了。
As we said at the start, it never rains but that it pours.
云计算,终端只要一个浏览器软件,限制一个进程,当然安全些,可是网络应用和带宽尚需较长时日才能替代掉大量传统的桌面应用软件。

猜您喜欢

pt电子游艺送体验金_培养风险管理型境外期货人才 莫吉等三人遭终身…
公司应该加强对员工进行软件版权及许可证教育
Security-Frontline-安全前线
NBA球队阵容大变样:快船面目全非 骑士屡获强援
FREEMANSUPPLY ALLDATASHEET
信息安全遭遇社会工程学难题