Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Script

This post was originally published on this site

Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.

Independent security analyst Randy Abrams noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to a website set up to serve adware disguised as a Flash Player installer.

While initially it appeared that Equifax’s website had been hacked, the company’s investigation revealed that the malicious redirects occurred due to a third-party vendor’s script.

“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” Equifax stated.

Equifax website sends users to fake Flash installer

The redirection chain, often seen in malvertising attacks, results in users being taken to a scammy or malicious website, depending on their geographical location and the type of device they use to access the affected webpage.

Researchers at Malwarebytes have analyzed the incident and determined that the redirection occurs due to a web analytics script from Digital River-owned Fireclick. A search for the script involved in the attack (fireclick.js) revealed that it had also been used on the Central America website of TransUnion, whose customers were also redirected to shady sites.

Both Equifax and TransUnion have removed the problematic script from their websites. Equifax took the affected service offline and had not restored it at the time of writing.

“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson explained.

In addition to adware, Malwarebytes said the redirection chain also took users to fake surveys and even the RIG exploit kit, which is typically leveraged to deliver ransomware and other malware. The security firm found the same Fireclick script on several other websites as well.

“Many websites include javascript from third parties for a variety of purposes, including analytics, ads, styling, and many other webpage features. Equifax included this Fireclick library on their own website, but it pulls in some javascript from another site, netflame.cc, that appears to have been hacked. When the Equifax site loads Fireclick, which loads netflame.cc code, the victim’s browser is redirected to malware,” explained Jeff Williams, CTO and co-founder of Contrast Security.

“Anyone using the Fireclick library may have been affected, and the attackers may not even know that they compromised Equifax. A more targeted attack could have used the netflame.cc code to access victim’s data from the Equifax page, submit false data on behalf of the victim, or deface the Equifax page. The attack could have been made invisible to the victim and could have been much more difficult to detect,” Williams added.

Some Hacker News users noticed that the netflame.cc domain was owned by Digital River until November 2016, when the registration information changed to show that the new owner was an individual from Thailand. It’s unclear if this has played any part in the recent incident affecting Equifax and TransUnion.

Related: Equifax Warned About Vulnerability, Didn’t Patch It, Says Ex-CEO

Related: Equifax Sent Breach Victims to Fake Website

Related: Equifax Cybersecurity Failings Revealed Following Breach

view counter

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags: