Equifax, TransUnion Websites Served Up Adware, Malware

Equifax.com redirected to adware disguised as Adobe’s Flash Player.
Security researchers have discovered websites run by credit bureaus Equifax and TransUnion were both affected by dodgy code that redirected users to adware and malware.
See Also: How to Scale Your Vendor Risk Management Program
As a result, Equifax has disabled part of its website. The affected TransUnion website, which is designed for customers in Central America, has been fixed and is no longer redirecting visitors to questionable destinations.
For Equifax, it’s the latest of a string of worrying findings about its online operations. In early September, the company disclosed a devastating data breach affecting 145.5 million consumers in the U.S., plus others in U.K. and Canada (see Equifax Ex-CEO Blames One Employee For Patch Failures).
全民网络安全意识教育策略与资源
Fake Flash
Randy Abrams, a security writer and researcher, discovered the Equifax issue. He posted a video on Wednesday that shows him cycling through menu selections on Equifax.com. When he clicked a button to obtain either a free or discounted credit report, Equifax began asking for personal information, including name, address and Social Security number. But that page quickly redirected through at least two domains before finally showing the infamous “Flash Player Install.”
Rather than a Flash Player, what was actually delivered is Adware.Eorezo, according to Ars Technica, which first covered the story. Adware Eorezo, which dates from 2012, pushes unwanted ads to Microsoft’s Internet Explorer browser, according to Symantec.
In a statement, Equifax says that despite early media reports, its systems were not compromised and that its consumer online dispute portal wasn’t affected.
“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” Equifax says. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”
Where There’s Smoke, There’s ‘Fireclick’
That third-party code is a JavaScript library called Fireclick. Fireclick was a small web analytics company acquired by Digital River in 2004. The script in question appears to be several years old, says Jerome Segura, lead intelligence analyst with the security vendor Malwarebytes.
After the Equifax discovery, Segura searched for other websites using the same script. He came across a surprising one: TransUnion, another one of the big three credit bureaus. The script was used on transunioncentroamerica.com.
Segura is an expert on malvertising, or the seeding of malicious advertisements within online ad networks. Such ads often redirect those browsing the web to malicious websites or can directly try to deliver malware to a computer using an exploit kit. Exploit kits scan computers for software vulnerabilities and, upon finding one, automatically deliver malware.
不要因为我们的系统看起来“运行正常”就可以高枕无忧,除了那些有意的破坏者,不少黑客都会“潜伏”,即在不影响网络系统正常工作的情况下,悄然地通过截获、窃取、破译等方式以获得我们重要的机密信息。
Segura browsed to the affected TransUnion site several times, first getting redirected to a survey scam, then to a bogus Flash Player update and finally to the RIG exploit kit. While display advertisements weren’t a part of the TransUnion situation – the key component for malvertising – Segura says known malicious ad networks and exchanges were involved in the redirections.
It appears that attackers have compromised the third-party library. Corrupting such libraries is a powerful way to affect many sites. The service Segura used that led to TransUnion’s problematic website probably showed more than 1,000 others using the same library.
Hard to Detect
The finding looks particularly bad for Equifax, which has received much criticism following its breach about the security of its online services.

But Segura says it can be difficult to detect malvertising and corrupted libraries such as Fireclick because the infrastructure behind them is complex. Third-party code libraries, in general, should always be treated with caution, he stresses.
“Doing an inventory of your assets and dependencies definitely helps,” Segura says. “The reality is that most websites rely on CDNs [content distribution networks] and loading external JS [JavaScript], but that can also be a weakness and expose your visitors to malicious traffic if any of those get compromised.”
To illustrate the complexity, Segura posted a screenshot in his blog post that shows the numerous redirects that occurred after browsing to the affected TransUnion domain.
Researchers were able to figure out what was going on with TransUnion and Equifax pretty quickly, which suggests that whomever is behind it wasn’t that concerned about being caught. More sophisticated types of malvertising and other scams of this ilk can be tougher to catch.
Exploit kits are often set to refrain from attacking computers outside narrow parameters. For example, if a virtual machine is detected, an exploit kit will withhold its firepower for fear a security researcher might be watching. To keep a lower profile, malicious ads may only be delivered to computers running on specific versions of operating systems in certain IP ranges at only certain times of the day.
我们采用了大量的安全控制措施,比如防火墙、漏洞修复和入侵检测,这些技术措施可能会落后于精明的黑客,所以为了来实现安全控管目标,我们还积极地提高员工们的安全防范意识,让他们能主动识别和应对新型的安全威胁。

猜您喜欢

请小心参加社交媒体调查
信息、信息安全与管理体系
网络安全法普法宣传 004《网络安全法》的突出亮点
孙怡产后出院 老公董子健婆婆王京花全程陪伴
HAUSFRAUENFICKEN PILLOWTEX
信息安全宣传活动策划案