Equifax redirection to fake Flash Player update

Equifax is not having its best moments these days, and the much-maligned organization was again at the center of another cyber-security-related incident.

On Wednesday, and probably the previous days, Equifax's credit report assistance website (aa.econsumer.equifax.com) was caught redirecting users to all sort of nasty websites that were peddling fake Flash Player update files laced with adware, fake Android and iOS updates, and scam sites offering products at cheap prices.

Articles detailing the infection chain are available on the blog of security researcher Andy Abrams — who discovered the issue —, ArsTechnica, and SecurityWeek.

First reports blamed the incident on hackers taking over Equifax's website and adding redirects to the malware sites. Equifax vehemently denied that another hack happened, and the company later took down the site, just as a precaution.

Rogue analytics script at the heart of recent Equifax debacle

In a blog post published last night, security researchers from Malwarebytes managed to reproduce the full infection chain redirects and tracked down the problem to a file named fireclick.js.

The file in question belonged to web analytics service Fireclick, previosuly owned by Digital River.

"In July 2016, Digital River fully decommissioned the Fireclick platform, which rendered the application inoperable," a Digital River spokesperson told Bleeping. "As part of our decommissioning Fireclick, we no longer had a business use for the netflame.cc domain and released it back to the domain name marketplace in October 2016, which is a common practice in the industry. At that point, the domain name was available for anyone to purchase. As such, Digital River’s connection to Fireclick and this domain name ended before this Equifax event.”

It appears that someone bought the domain and used it to deliver his own fireclick.js file. According to Malwarebytes researcher Jérôme Segura, the file was configured to load another JavaScript file hosted on the Akamai CDN, and then other and other files, until one of them triggered the redirection chain that hijacked Equifax's traffic that sent users to the malicious sites.

Equifax rival suffered the same fate

In their search for the root of the problem, Malwarebytes says it found the same file and an active traffic redirection campaign also on one of Equifax's rivals — the TransUnion’s Central American site.

Malwarebytes said it observed redirections from TransUnion's site to similar fake Flash updates, online survey sites, and even the RIG exploit kit, know to use browser exploits to silently install malware on users' computers.

TransUnion removed the malicious JS file from its site. The below GIF file shows the redirection in action.

TransUnion redirection

Before this latest cyber incident, Equifax suffered a breach of massive proportions when a hacker gained access to its servers thanks to an unpatched Apache Struts installation and stole over 145.5 million user records and other documents.

If that wasn't bad enough — and it was, Equifax's CEO being called before a Senate hearing — infosec journalist Brian Krebs also reported that Equifax's "The Work Number" service was also leaking information on salary histories for thousands of users. That website was also taken down.

Article updated with statement from Digital River spokesperson.

Image credits: Randy Abrams, Malwarebytes