Equifax Website Redirects Users to Adware, Scams

光一科技(300356)高管相关人员持股变动信息(5-16)
A security researcher noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to websites set up to serve adware and scams.
加强域名管理、网站实名制等效果显著。公司也可以向国家学习,加强计算资源的终端管理如信息资产管理、软件授权管理、网络准入控制和应用服务开通审核等等工作可以大幅降低内网的网络安全事件。
Independent security analyst Randy Abrams wanted to find his credit report on Equifax’s website when he was redirected to a website offering a fake Flash Player installer. The browsing session was taken through multiple domains before the final page was reached.
It’s not uncommon for cybercriminals to deliver malware using fake Flash Player installers, but in this case the website pushed adware.
The Equifax webpage, hosted at aa.econsumer.equifax.com, did not redirect the connection when accessed by SecurityWeek on Thursday morning. Abrams believes Equifax removed the malicious code from its website sometime on Wednesday.
An analysis of the domains involved in the redirection chain shows that they can lead not only to adware. The final destination depends on the type of device and the geographical location of the user.
SecurityWeek has seen redirects to fake Android and iOS updates, premium SMS services, and other scammy sites. Various online security services detect the domains involved in the attack as malicious, and while there is no evidence of actual malware being served, the possibility cannot be ruled out.
After visiting the compromised site several times from the same device, the user is taken to a website belonging to a legitimate business that is likely trying to promote its site via ad networks or SEO (search engine optimization) services.
Contacted by SecurityWeek, an Equifax spokesperson stated, “We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.”
Equifax recently informed customers that hackers breached its systems after exploiting an Apache Struts 2 vulnerability that had been patched and exploited in the wild since March. The attackers gained access to the personal information of more than 140 million individuals, including hundreds of thousands of Canadian and British citizens.
“I’m really not trying to kick Equifax while they are down. There are already 150 million other people doing that. I just sort of tripped over them,” Abrams said in a blog post.
“I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines ‘deplaning’ a passenger… It hurts,” he added.
Many of Equifax’s cybersecurity failings came to light following the breach, including the fact that the company directed customers to the wrong website and website vulnerabilities.
UPDATE. After an investigation, Equifax determined that the problem was caused by a third-party vendor’s code. The company has provided the following statement to SecurityWeek: 
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”
UPDATE 2. The same script also caused problems for another Big Three credit reporting agency, TransUnion.
Headline updated to remove the word “hacked”
Related: Scammers Offer to Sell Data Stolen in Equifax Hack
Related: New York Pushes to Regulate Credit Agencies After Equifax Breach

安全是重要的保证,没有信息安全的保证,也就没有效率的实现。

猜您喜欢

云栖大会看点之国产云平台备份与恢复系统
必须教会员工的三项安全技术
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
山村来了新老师 村里杀羊取瘪吹芦笙欢迎
HWH TEACHINGSHERLOCK
网络安全公益短片个人信息保护实战