Anti-Malware , Fraud , Technology

Equifax, TransUnion Websites Served Up Adware, Malware

A Carousel of Badness: Fake Surveys, Fake Flash Players and Exploit Kits
Equifax, TransUnion Websites Served Up Adware, Malware
Equifax.com redirected to adware disguised as Adobe's Flash Player.

Security researchers have discovered websites run by credit bureaus Equifax and TransUnion were both affected by dodgy code that redirected users to adware and malware.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

As a result, Equifax has disabled part of its website. The affected TransUnion website, which is designed for customers in Central America, has been fixed and is no longer redirecting visitors to questionable destinations.

For Equifax, it's the latest of a string of worrying findings about its online operations. In early September, the company disclosed a devastating data breach affecting 145.5 million consumers in the U.S., plus others in U.K. and Canada (see Equifax Ex-CEO Blames One Employee For Patch Failures).

Fake Flash

Randy Abrams, a security writer and researcher, discovered the Equifax issue. He posted a video on Wednesday that shows him cycling through menu selections on Equifax.com. When he clicked a button to obtain either a free or discounted credit report, Equifax began asking for personal information, including name, address and Social Security number. But that page quickly redirected through at least two domains before finally showing the infamous "Flash Player Install."

Rather than a Flash Player, what was actually delivered is Adware.Eorezo, according to Ars Technica, which first covered the story. Adware Eorezo, which dates from 2012, pushes unwanted ads to Microsoft's Internet Explorer browser, according to Symantec.

In a statement, Equifax says that despite early media reports, its systems were not compromised and that its consumer online dispute portal wasn't affected.

"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content," Equifax says. "Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."

Where There's Smoke, There's 'Fireclick'

That third-party code is a JavaScript library called Fireclick. Fireclick was a small web analytics company acquired by Digital River in 2004. The script in question appears to be several years old, says Jerome Segura, lead intelligence analyst with the security vendor Malwarebytes.

After the Equifax discovery, Segura searched for other websites using the same script. He came across a surprising one: TransUnion, another one of the big three credit bureaus. The script was used on transunioncentroamerica.com.

Segura is an expert on malvertising, or the seeding of malicious advertisements within online ad networks. Such ads often redirect those browsing the web to malicious websites or can directly try to deliver malware to a computer using an exploit kit. Exploit kits scan computers for software vulnerabilities and, upon finding one, automatically deliver malware.

Segura browsed to the affected TransUnion site several times, first getting redirected to a survey scam, then to a bogus Flash Player update and finally to the RIG exploit kit. While display advertisements weren't a part of the TransUnion situation - the key component for malvertising - Segura says known malicious ad networks and exchanges were involved in the redirections.

It appears that attackers have compromised the third-party library. Corrupting such libraries is a powerful way to affect many sites. The service Segura used that led to TransUnion's problematic website probably showed more than 1,000 others using the same library.

Hard to Detect

The finding looks particularly bad for Equifax, which has received much criticism following its breach about the security of its online services.

But Segura says it can be difficult to detect malvertising and corrupted libraries such as Fireclick because the infrastructure behind them is complex. Third-party code libraries, in general, should always be treated with caution, he stresses.

"Doing an inventory of your assets and dependencies definitely helps," Segura says. "The reality is that most websites rely on CDNs [content distribution networks] and loading external JS [JavaScript], but that can also be a weakness and expose your visitors to malicious traffic if any of those get compromised."

To illustrate the complexity, Segura posted a screenshot in his blog post that shows the numerous redirects that occurred after browsing to the affected TransUnion domain.

Researchers were able to figure out what was going on with TransUnion and Equifax pretty quickly, which suggests that whomever is behind it wasn't that concerned about being caught. More sophisticated types of malvertising and other scams of this ilk can be tougher to catch.

Exploit kits are often set to refrain from attacking computers outside narrow parameters. For example, if a virtual machine is detected, an exploit kit will withhold its firepower for fear a security researcher might be watching. To keep a lower profile, malicious ads may only be delivered to computers running on specific versions of operating systems in certain IP ranges at only certain times of the day.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network