Equifax is not having its best moments these days, and the much-maligned organization was again at the center of another cyber-security-related incident.
On Wednesday, and probably the previous days, Equifax's credit report assistance website (aa.econsumer.equifax.com) was caught redirecting users to all sort of nasty websites that were peddling fake Flash Player update files laced with adware, fake Android and iOS updates, and scam sites offering products at cheap prices.
First reports blamed the incident on hackers taking over Equifax's website and adding redirects to the malware sites. Equifax vehemently denied that another hack happened, and the company later took down the site, just as a precaution.
The Equifax page mentioned in Ars article as spreading adware/spyware now "down for maintenance" also. pretty soon won't be much site left— briankrebs (@briankrebs) October 12, 2017
In a blog post published last night, security researchers from Malwarebytes managed to reproduce the full infection chain redirects and tracked down the problem to a file named fireclick.js.
The file in question belonged to web analytics service Fireclick, previosuly owned by Digital River.
"In July 2016, Digital River fully decommissioned the Fireclick platform, which rendered the application inoperable," a Digital River spokesperson told Bleeping. "As part of our decommissioning Fireclick, we no longer had a business use for the netflame.cc domain and released it back to the domain name marketplace in October 2016, which is a common practice in the industry. At that point, the domain name was available for anyone to purchase. As such, Digital River’s connection to Fireclick and this domain name ended before this Equifax event.”
In their search for the root of the problem, Malwarebytes says it found the same file and an active traffic redirection campaign also on one of Equifax's rivals — the TransUnion’s Central American site.
Malwarebytes said it observed redirections from TransUnion's site to similar fake Flash updates, online survey sites, and even the RIG exploit kit, know to use browser exploits to silently install malware on users' computers.
TransUnion removed the malicious JS file from its site. The below GIF file shows the redirection in action.
Before this latest cyber incident, Equifax suffered a breach of massive proportions when a hacker gained access to its servers thanks to an unpatched Apache Struts installation and stole over 145.5 million user records and other documents.
If that wasn't bad enough — and it was, Equifax's CEO being called before a Senate hearing — infosec journalist Brian Krebs also reported that Equifax's "The Work Number" service was also leaking information on salary histories for thousands of users. That website was also taken down.
Article updated with statement from Digital River spokesperson.
Image credits: Randy Abrams, Malwarebytes