In May credit stating service Equifax’s website was breached by enemy who eventually done off with Social Security numbers, names, and a dizzying volume of other sum for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to broach fake Adobe Flash updates, which when clicked, putrescent visitors’ computers with adware that was rescued by only 3 of 65 antivirus providers.
Randy Abrams, an eccentric confidence researcher by day, happened to revisit the site Wednesday dusk to competition what he pronounced was fake information he had just found on his credit report. Eventually, his browser non-stop up a page on the domain hxxp:centerbluray.info that looked like this:
He was understandably incredulous. The site that formerly gave up personal information for probably every US person with a credit story was once again under the control of attackers, this time trying to pretence Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, enemy frequently offer the downloads to only a name series of visitors, and then only once.
Abrams tried anyway, and to his amazement, he encountered the fraudulent Flash download links on at slightest 3 successive visits. The picture above this post is the higher-resolution screenshot he prisoner during one visit. He also supposing the video below. It shows an Equifax page redirecting the browser to at slightest 4 domains before finally opening the Flash download at the same centerbluray.info page.
The file that got delivered when Abrams clicked by is called MediaDownloaderIron.exe. This VirusTotal entrance shows only Panda, Symantec, and Webroot detecting the file as adware. This apart malware research from Packet Security shows the code is rarely obfuscated and takes heedfulness to disguise itself from retreat engineering. Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira supposing identical malware warnings for one of the middle domains, newcyclevaults.com.
In the hour this post was being reported and written, Abrams was incompetent to imitate the redirects heading to the antagonistic download. It’s probable Equifax has spotless up its site. It’s also probable the enemy have close down for the night and have the ability to return at will to revisit still worse misfortunes on visitors. Equifax member didn’t respond to an e-mail that enclosed a couple to the video and sought criticism for this post.