Compromised analytics provider made Equifax’s site point to malware

Yesterday’s revelation that Equifax’s credit report assistance Web page was spotted redirecting visitors to malware resulted in the company temporarily disabling the page and starting an investigation.

Compromised analytics provider

Once the investigation was concluded, the company said that they didn’t get hacked. Instead, that the malicious script was part of the code of a third-party vendor that Equifax uses to collect website performance data.

“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” the company told Brian Krebs.

Still, there’s no denying that this incident further erodes the trust consumers might still have in Equifax.

Other sites

In the meantime, Malwarebytes security researcher Jerome Segura tried to discover which script was responsible for the redirect, and discovered a likely candidate on the Web site of another credit-reporting company: TransUnion’s Central Americal portal (transunioncentroamerica.com).

As Equifax removed the script from their site before he could get his hands on it, Segura analyzed the video captured by researcher Randy Abrams to retrace part of the chain of redirects that took visitors to the fake Adobe Flash download:

compromised analytics provider

Then, he managed to identify the script (fireclick.js) that held part of it, and find it again on the TransUnion site:

compromised analytics provider

“Fireclick is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN. In turn, this loads content from another domain snap.sitestats[.]info. This eventually leads toostats[.]net,” Segura noted. (Ostats.net is the initial domain of the redirect chain visible in the video.)

According to his findings, there are other Web sites out there that have the same script embedded directly into their main page, and they are obviously part of a larger malvertising campaign.

Since Segura’s discovery, TransUnion has pulled the malicious script from the Web site and is now scanning its other sites for it.