Equifax isn’t the only credit-reporting behemoth with a website redirecting visitors to feign Adobe Flash updates. A confidence researcher from AV provider Malwarebytes pronounced transunioncentroamerica.com, a TransUnion site apportionment people in Central America, is also promulgation visitors to the feign updates and other forms of antagonistic pages.
As Ars reported late Wednesday night, a apportionment of Equifax’s website was redirecting visitors to a page that was delivering feign Adobe Flash updates. When clicked, the files putrescent visitors’ computers with adware that was rescued by only 3 of 65 antivirus providers. On Thursday afternoon, Equifax officials pronounced the fumble was the outcome of a third-party service Equifax was using to collect website-performance information and that the “vendor’s code using on an Equifax website was apportionment antagonistic content.” Equifax primarily close down the influenced apportionment of its site, but the company has given easy it after stealing the antagonistic content.
Now, Malwarebytes confidence researcher Jérôme Segura says he was means to regularly imitate a identical method of feign redirects when he forked his browser to the transunioncentroamerica.com site. On some occasions, the final couple in the method would pull a feign Flash update. In other cases, it delivered an feat pack that tried to taint computers with unpatched browsers or browser plugins. The attack method remained active at the time this post was going live. Segura published this blog post shortly after this essay went live on Ars.
“This is not something users wish to have,” Segura told Ars.
Segura believes ostats.net is the couple in the method where things spin bad, but he has nonetheless to endorse that. The full method in one transunioncentroamerica.com route looked like this:
The following GIF picture captures the redirection method in action:
Ostats.net also played a role in the redirects that took place on the influenced Equifax Web page. A video taken by eccentric confidence researcher Randy Abrams showed it promulgation him to a series of antagonistic sites that eventually lead to the adware lure.
Attempts to strech people who own the domain weren’t immediately successful. Ars e-mailed a orator at TransUnion to forewarn him of Segura’s finding. Until TransUnion has time to respond, people should sojourn heedful of the company’s several Web properties, quite the one apportionment Central America.
Equifax on Thursday was discerning to contend that its systems were never compromised in the attacks. Don’t be astounded if TransUnion says much the same thing. This is an critical eminence in some respects since it means that the redirections weren’t the outcome of enemy having entrance to limited tools of possibly company’s networks. At the same time, the incidents show that visitors to both sites sojourn much some-more exposed to antagonistic calm than they should be. What’s more, putrescent visitors aren’t likely to take much comfort in that clarification, either.