Randy Abrams
In May credit reporting service Equifax’s website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by only three of 65 antivirus providers.
Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info that looked like this:
Randy Abrams
He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.
Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same centerbluray.info page.
VIDEO
Equifax Flash Download
The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults.com.
Randy Abrams
Malvertising?
It’s not yet clear precisely how the Flash download page got displayed. It’s possible Equifax was running ads through a third-party network and those are responsible for the redirects. But even if that’s true, the net result is that the site is arguably compromised in some way, since administrators can’t control the pages visitors see when they’re trying to use key functions, some which require visitors to enter Social Security numbers.
Several hours after this post went live, an Ars reader e-mailed to say he recently encountered a sketchy ad when putting a temporary fraud alert on his Equifax file. The reader wrote:
When I clicked it (from Gmail on Android) I was redirected to a spam page shortly after seeing the Equifax credit file form. I thought maybe it was an anomaly because it didn’t happen again. But after reading your article about how sometimes hacks will redirect randomly I tried the link again just now and sure enough I got a spam page again (lucksupply.club saying I won an iPhone X). This is Chrome-in-a-tab from Gmail so i don’t believe there’s any extensions or other malware on my device that could have caused this redirect.
In the hour this post was being reported and written, Abrams was unable to reproduce the redirects leading to the malicious download. It’s possible Equifax has cleaned up its site. It’s also possible the attackers have shut down for the night and have the ability to return at will to visit still worse misfortunes on visitors. Equifax representatives didn’t respond to an e-mail that included a link to the video and sought comment for this post.
Post updated at 6:18 am and 7:10 am 10/12/2017 Pacific time to discuss ad networks and add details of ad served on reader.
from Ars Technica http://ift.tt/2z0YzqR
via IFTTT