reader feedback 74
Equifax is rarely the only credit-reporting behemoth with a website redirecting guests to false Adobe Flash updates. A protection researcher from AV provider Malwarebytes talked about transunioncentroamerica.com, a TransUnion web page serving people in valuable the usa, is also sending visitors to the fraudulent updates and different types of malicious pages.
As Ars said late Wednesday evening, a element of Equifax’s site was redirecting friends to a page that was supplying fraudulent Adobe Flash updates. When clicked, the files contaminated guests’ computers with spy ware that changed into detected by way of only three of 65 antivirus providers. On Thursday afternoon, Equifax officers talked about the mishap turned into the outcomes of a 3rd-birthday celebration provider Equifax become using to compile web page-efficiency facts and that the “supplier’s code running on an Equifax web page was serving malicious content material.” Equifax originally shut down the affected element of its site, but the enterprise has considering the fact that restored it after removing the malicious content.
Now, Malwarebytes security researcher Jérôme Segura says he changed into able to again and again reproduce an identical chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some events, the closing link within the chain would push a faux Flash update. In different circumstances, it delivered an exploit kit that attempted to contaminate computer systems with unpatched browsers or browser plugins. The assault chain remained energetic on the time this post become going live. Segura published this blog publish almost immediately after this text went reside on Ars.
“this is no longer something clients are looking to have,” Segura informed Ars.
Three hours after this post went live, a TransUnion spokesman sent an e mail that spoke of: “TransUnion is conscious that our central the us web page become briefly redirecting users to down load malicious software. The situation has been fastened and we are scanning our other sites. TransUnion has not recognized any unauthorized access to its systems because of this concern.”
The common thread tying the affected Equifax and TransUnion pages is that both hosted fireclick.js, a JavaScript file that looks to invoke the carrier serving the malicious content. When known as, fireclick.js pulls content material from a protracted chain of pages, beginning with those hosted through akamai.com, sitestats.com, and ostats.web. depending on the guests’ IP tackle, browsers ultimately wind up touring pages that convey a faux survey, a pretend Flash update, or an take advantage of package.
Segura believes ostats.net is the hyperlink in the chain the place things turn bad, but he has yet to confirm that. the entire chain in one transunioncentroamerica.com redirect gave the impression of this:
the following GIF graphic captures the redirection sequence in action:
Ostats.net additionally performed a task in the redirects that took area on the affected Equifax web page. A video taken by way of independent protection analyst Randy Abrams showed it sending him to a sequence of malicious sites that subsequently result in the spyware and adware trap.
attempts to reach people who personal the domain weren’t instantly a success. Ars e-mailed a spokesman at TransUnion to notify him of Segura’s finding. until TransUnion has time to reply, americans should stay wary of the company’s a number of web residences, especially the one serving vital the united states.
Equifax on Thursday changed into short to say that its methods have been not ever compromised within the assaults. TransUnion noted lots the equal thing. here’s a vital difference in some respects since it skill that the redirections weren’t the influence of attackers having entry to restrained materials of either business’s networks. at the same time, the incidents reveal that friends to each websites remain much more liable to malicious content than they may still be. What’s greater, contaminated guests are not likely to take much consolation in that clarification, either.
up-to-date to add comment from TransUnion.
Facebook
Twitter
Instagram
Google+
LinkedIn
RSS