In May credit stating service Equifax’s website was breached by enemy who eventually done off with Social Security numbers, names, and a dizzying volume of other sum for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to broach fake Adobe Flash updates, which when clicked, putrescent visitors’ computers with adware that was rescued by only 3 of 65 antivirus providers.
Randy Abrams, an eccentric confidence researcher by day, happened to revisit the site Wednesday dusk to check what he pronounced was fake information he had just found on his credit report. Eventually, his browser non-stop up a page on the domain hxxp//:centerbluray.info that looked like this:
He was understandably incredulous. The site that formerly gave up personal information for probably every US person with a credit story was once again under the change of attackers, this time trying to pretence Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, enemy frequently offer the downloads to only a name series of visitors, and then only once.
Abrams tried anyway, and to his amazement, he encountered the fraudulent Flash download links on at slightest 3 successive visits. The picture above this post is the higher-resolution screenshot he prisoner during one visit. He also supposing the video below. It shows an Equifax page redirecting the browser to at slightest 4 domains before finally opening the Flash download at the same centerbluray.info page.
The file that got delivered when Abrams clicked by is called MediaDownloaderIron.exe. This VirusTotal entrance shows only Panda, Symantec, and Webroot detecting the file as adware. This apart malware research from Payload Security shows the code is rarely obfuscated and takes heedfulness to disguise itself from retreat engineering. Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira supposing identical malware warnings for one of the middle domains, newcyclevaults.com.
It’s not nonetheless transparent precisely how the Flash download page got displayed. The group-sourced research here and this eccentric comment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a clever case that Equifax was operative with a third-party ad network or analytics provider that’s obliged for the redirects. In that case, the breach, technically speaking, isn’t on the Equifax website and may be inspiring other sites as well. But even if that’s true, the net outcome is that the Equifax site was arguably compromised in some way, given administrators couldn’t control the pages visitors saw when trying to use pivotal functions, some which need visitors to enter Social Security numbers.
Several hours after this post went live, an Ars reader e-mailed to contend he recently encountered a rough ad when putting a proxy rascal warning on his Equifax file. The reader wrote:
When we clicked it (from Gmail on Android) we was redirected to a spam page shortly after seeing the Equifax credit file form. we suspicion maybe it was an curiosity since it didn’t occur again. But after reading your essay about how infrequently hacks will route incidentally we tried the couple again just now and certain adequate we got a spam page again (lucksupply.club observant we won an iPhone X). This is Chrome-in-a-tab from Gmail so i don’t trust there’s any extensions or other malware on my device that could have caused this redirect.
In the hour this post was being reported and written, Abrams was incompetent to imitate the redirects heading to the antagonistic download, but he pronounced they returned early Thursday morning. Shortly after that, a territory of the site was taken down. In an e-mail sent midst Thursday morning, an Equifax represesentative wrote:
We are wakeful of the conditions identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an contentment of counsel have temporarily taken this page offline. When it becomes accessible or we have some-more information to share, we will.
Post updated at several times on the morning of 10/12/2017 Pacific time to plead ad networks and supplement sum of ad served on reader. The word “hacked” was private from the title to simulate the probability the redirects are the outcome of a third-party malvertising campaign.