Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday October 14 2017, @03:10AM   Printer-friendly
from the Alfred-E.-Newman-award-winners dept.

A story at Ars Technica reports two credit reporting agencies' web sites are redirecting users to sites trying to distribute malware — Transunion's Central America site and Equifax's site:

As Ars reported late Wednesday night, a portion of Equifax's website was redirecting visitors to a page that was delivering fraudulent Adobe Flash updates. When clicked, the files infected visitors' computers with adware that was detected by only three of 65 antivirus providers. On Thursday afternoon, Equifax officials said the mishap was the result of a third-party service Equifax was using to collect website-performance data and that the "vendor's code running on an Equifax website was serving malicious content." Equifax initially shut down the affected portion of its site, but the company has since restored it after removing the malicious content.

Now, Malwarebytes security researcher Jérôme Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins. The attack chain remained active at the time this post was going live. Segura published this blog post shortly after this article went live on Ars.

"This is not something users want to have," Segura told Ars.

The common thread tying the affected Equifax and TransUnion pages is that both hosted fireclick.js, a JavaScript file that appears to invoke the service serving the malicious content. When called, fireclick.js pulls content from a long chain of pages, starting with those hosted by akamai.com, sitestats.com, and ostats.net. Depending on the visitors' IP address, browsers ultimately wind up visiting pages that deliver a fake survey, a fake Flash update, or an exploit kit.

Segura believes ostats.net is the link in the chain where things turn bad, but he has yet to confirm that.

I run with NoScript, AdBlock Lattitude, and uBlock Origin installed in my browser. I'll try allowing three, at most four, remote sites to get to content, otherwise I'll go somewhere else. The SoylentNews.org web site is coded so that users need not run even a single line of Javascript.

Additional coverage on Politico.com


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by fritsd on Saturday October 14 2017, @02:17PM (1 child)

    by fritsd (4586) on Saturday October 14 2017, @02:17PM (#582277) Journal

    (...) both hosted fireclick.js, a JavaScript file that appears to invoke the service serving the malicious content.
    When called, fireclick.js pulls content from a long chain of pages, (...)

    One question:

    Why?

    What is the purpose to make a user download your JavaScript code from some third party? Wouldn't you want to keep control of what your website customers get served???

    Genuine question; I don't understand the reason behind this.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 4, Informative) by tibman on Saturday October 14 2017, @05:35PM

    by tibman (134) Subscriber Badge on Saturday October 14 2017, @05:35PM (#582346)

    I usually see it with 3rd-party services. A small business wants to add a live help chat thing to their website but they don't know how to do it. They pay another company for the service which is delivered like a turn-key solution. "Add this snippet of js to your website."

    Large companies have a similar issue in that they don't know how to do anything because they continue to outsource every technical job.

    --
    SN won't survive on lurkers alone. Write comments.