Compromised analytics provider made Equifax’s site point to malware
Yesterday’s revelation that Equifax’s credit report assistance Web page was spotted redirecting visitors to malware resulted in the company temporarily disabling the page and starting an investigation.
Once the investigation was concluded, the company said that they didn’t get hacked. Instead, that the malicious script was part of the code of a third-party vendor that Equifax uses to collect website performance data.
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” the company told Brian Krebs.
Still, there’s no denying that this incident further erodes the trust consumers might still have in Equifax.
In the meantime, Malwarebytes security researcher Jerome Segura tried to discover which script was responsible for the redirect, and discovered a likely candidate on the Web site of another credit-reporting company: TransUnion’s Central Americal portal (transunioncentroamerica.com).
As Equifax removed the script from their site before he could get his hands on it, Segura analyzed the video captured by researcher Randy Abrams to retrace part of the chain of redirects that took visitors to the fake Adobe Flash download:
Then, he managed to identify the script (fireclick.js) that held part of it, and find it again on the TransUnion site:
“Fireclick is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN. In turn, this loads content from another domain snap.sitestats[.]info. This eventually leads toostats[.]net,” Segura noted. (Ostats.net is the initial domain of the redirect chain visible in the video.)
According to his findings, there are other Web sites out there that have the same script embedded directly into their main page, and they are obviously part of a larger malvertising campaign.
Since Segura’s discovery, TransUnion has pulled the malicious script from the Web site and is now scanning its other sites for it.