As News reported late Wednesday night, a division of Equifax’s website was redirecting guests to a page that was passing fraudulent Adobe Flash updates. When clicked, the files affected visitors’ machines with adware that was recognized by only three of 65 antivirus providers. On Thursday afternoon, Equifax executives said the mishap was the result of a third-party service Equifax was using to get website-performance data and that the “vendor’s code working on an Equifax website was accepting malicious content.” Equifax originally shut down the affected portion of its site, but the organization has since restored it after eliminating the malicious content.
Now, Malwarebytes security researcher Jérôme Segura says he was capable to repeatedly generate a similar chain of fraudulent redirects when he showed his browser to the transunioncentroamerica.com site. On some events, the final link in the chain would push a fake Flash update. In other examples, it delivered an exploit kit that decided to infect computers with unpatched browsers or browser plugins. The attack series remained active at the time this post was going live.
“TransUnion is aware that our Central America website was briefly redirecting users to download malicious software. The issue has happened to be fixed and we are browsing our other websites. TransUnion has not known any unauthorized access to its systems as a result of this issue.”
The general thread tying the affected Equifax and TransUnion pages is that both entertained fireclick.js, a JavaScript file that appears to request the service serving the malicious content. When called, fireclick.js pulls content from a long chain of pages, beginning with those hosted by akamai.com, sitestats.com, and ostats.net. Depending on the visitors’ IP address, browsers ultimately wind up attending pages that deliver a fake survey, a fake Flash update, or an exploit kit.
Take your time to comment on this article.