Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday October 14 2017, @03:10AM   Printer-friendly
from the Alfred-E.-Newman-award-winners dept.

A story at Ars Technica reports two credit reporting agencies' web sites are redirecting users to sites trying to distribute malware — Transunion's Central America site and Equifax's site:

As Ars reported late Wednesday night, a portion of Equifax's website was redirecting visitors to a page that was delivering fraudulent Adobe Flash updates. When clicked, the files infected visitors' computers with adware that was detected by only three of 65 antivirus providers. On Thursday afternoon, Equifax officials said the mishap was the result of a third-party service Equifax was using to collect website-performance data and that the "vendor's code running on an Equifax website was serving malicious content." Equifax initially shut down the affected portion of its site, but the company has since restored it after removing the malicious content.

Now, Malwarebytes security researcher Jérôme Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins. The attack chain remained active at the time this post was going live. Segura published this blog post shortly after this article went live on Ars.

"This is not something users want to have," Segura told Ars.

The common thread tying the affected Equifax and TransUnion pages is that both hosted fireclick.js, a JavaScript file that appears to invoke the service serving the malicious content. When called, fireclick.js pulls content from a long chain of pages, starting with those hosted by akamai.com, sitestats.com, and ostats.net. Depending on the visitors' IP address, browsers ultimately wind up visiting pages that deliver a fake survey, a fake Flash update, or an exploit kit.

Segura believes ostats.net is the link in the chain where things turn bad, but he has yet to confirm that.

I run with NoScript, AdBlock Lattitude, and uBlock Origin installed in my browser. I'll try allowing three, at most four, remote sites to get to content, otherwise I'll go somewhere else. The SoylentNews.org web site is coded so that users need not run even a single line of Javascript.

Additional coverage on Politico.com


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Saturday October 14 2017, @03:18AM

    by Anonymous Coward on Saturday October 14 2017, @03:18AM (#582166)
    One line of obfuscated JavaScript can be several kilobytes, as in this malware. https://pastebin.com/zY91NKTH
  • (Score: 3, Insightful) by Anonymous Coward on Saturday October 14 2017, @03:38AM (2 children)

    by Anonymous Coward on Saturday October 14 2017, @03:38AM (#582172)

    The SoylentNews.org web site is properly coded. so that users need not run even a single line of Javascript.

    FTFY. Broken with Javascript disabled == broken. Working with Javascript disabled == working. Why are there so many very, very broken websites on the internet? In my day if a thing was broken we didn't pay for it.

    • (Score: 1, Disagree) by Anonymous Coward on Saturday October 14 2017, @05:31AM (1 child)

      by Anonymous Coward on Saturday October 14 2017, @05:31AM (#582191)

      Well, you're probably still not paying for most things on the Javascript Web.

      • (Score: 4, Insightful) by maxwell demon on Saturday October 14 2017, @10:00AM

        by maxwell demon (1608) on Saturday October 14 2017, @10:00AM (#582231) Journal

        You're mistaken: For a lot of things you are paying. Just not in the form of money. Well, at least not directly; you don't know how your tracking data costs you money elsewhere.

        --
        The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 0) by Anonymous Coward on Saturday October 14 2017, @03:52AM (1 child)

    by Anonymous Coward on Saturday October 14 2017, @03:52AM (#582176)

    "The SoylentNews.org web site is coded so that users need not run even a single line of Javascript."

    SN Awesome.

    - AC

    • (Score: 0) by Anonymous Coward on Saturday October 14 2017, @05:36AM

      by Anonymous Coward on Saturday October 14 2017, @05:36AM (#582193)

      Yeah, noscript blocks JS from SN, and everything works in my browser.

  • (Score: 2) by idiot_king on Saturday October 14 2017, @04:13AM (3 children)

    by idiot_king (6587) on Saturday October 14 2017, @04:13AM (#582178)

    Say it with me kids: CAPITALISM HURTS EVERYONE.
    This is no surprise. Government cronies do the absolute bare minimum, or even worse, whatever's easiest to just be able to say that "they did what was necessary."
    At this rate, it's no secret that the American Capitalist system will utterly collapse into a pile of smoldering ash. The fat pigs on top of the pyramid don't care, but they don't realize their pyramid of shabby wood is on fire - and this Equifax disaster-capitalist debacle is the beginning of the absolute proof of Marx's theory - that capitalism is an utter failure, trainwreck, that swallows everything in its path.

    • (Score: 3, Informative) by Anonymous Coward on Saturday October 14 2017, @05:24AM (1 child)

      by Anonymous Coward on Saturday October 14 2017, @05:24AM (#582189)

      CAPITALISM HURTS EVERYONE

      No, capitalism hurts ALMOST everyone. The C-level sociopaths, politicians, and banksters are all doing very, very well and will continue to do well.

      • (Score: 0) by Anonymous Coward on Saturday October 14 2017, @06:41AM

        by Anonymous Coward on Saturday October 14 2017, @06:41AM (#582199)

        No, capitalism hurts ALMOST everyone. The C-level sociopaths, politicians, and banksters are all doing very, very well and will continue to do well.

        ref provided https://en.wikipedia.org/wiki/Psychopathy#In_the_workplace [wikipedia.org]

    • (Score: 4, Interesting) by rylyeh on Saturday October 14 2017, @06:15AM

      by rylyeh (6726) <{kadath} {at} {gmail.com}> on Saturday October 14 2017, @06:15AM (#582198)

      IMO, non-profit solutions fit the 'best outcome' of a market economy. Profit, beyond the need to re-invest in improvement is essentially theft.

      Why is any profit allowed in the Medical sector? Providing critical services that people require should not be 'profitable'.

      The fidget spinner - coca-cola - designer clothing and non-essential things, that's where profit should be allowed.
         

      --
      "a vast crenulate shell wherein rode the grey and awful form of primal Nodens, Lord of the Great Abyss."
  • (Score: 2) by jasassin on Saturday October 14 2017, @08:23AM (4 children)

    by jasassin (3566) <jasassin@gmail.com> on Saturday October 14 2017, @08:23AM (#582211) Homepage Journal

    Why doesn't somebody sue these assholes?

    --
    jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
    • (Score: 5, Informative) by takyon on Saturday October 14 2017, @08:39AM (2 children)

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Saturday October 14 2017, @08:39AM (#582214) Journal

      Are You an Equifax Breach Victim? You Could Give Up Right to Sue to Find Out [soylentnews.org]

      (not a full answer to your question, but ain't that something)

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 2) by jasassin on Saturday October 14 2017, @09:11AM

        by jasassin (3566) <jasassin@gmail.com> on Saturday October 14 2017, @09:11AM (#582222) Homepage Journal

        Things that make you go hmmm...

        --
        jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
      • (Score: 3, Informative) by SrLnclt on Saturday October 14 2017, @02:39PM

        by SrLnclt (1473) on Saturday October 14 2017, @02:39PM (#582284)

        From the Experian Data Breach FAQ [equifaxsecurity2017.com] (under the Complimentary TrustedID Premier Product):

        Q: "Do the TrustedID and Equifax Terms of Use limit my options related to the cyber security incident?"
        A: "To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.

        Q: "If I enrolled in TrustedID Premier prior to the Terms of Use change, what Terms of Use apply?"
        A: The prior Terms of Use will not apply to any consumers who have enrolled in TrustedID Premier, regardless of when they enrolled. In other words, even if a consumer enrolled prior to the change to the Terms of Use, the revised Terms of Use will apply to that consumer."

    • (Score: 3, Touché) by fritsd on Saturday October 14 2017, @02:15PM

      by fritsd (4586) on Saturday October 14 2017, @02:15PM (#582275) Journal

      Sorry, Equifax just re-directed you to a malware website that said: "I hereby declare that I am in full agreement with Equifax' terms and conditions, and have no need to sue them, now or ever".

      And when you clicked on the cross on the top right corner it clicked on the "I accept" button.

  • (Score: 4, Informative) by crafoo on Saturday October 14 2017, @02:02PM (1 child)

    by crafoo (6639) on Saturday October 14 2017, @02:02PM (#582270)

    Javascript was a mistake. It continues to be a mistake. Doubling down with web asm just reinforces the fact that we failed to learn the lesson.

    Oh, your website is unusable without javascript? It's not a web site. It's a proprietary "web app" you are asking me to execute on my personal hardware. You can call it a web site all day but it's not.

    So they handed over personal information for every single American citizen? So what? You can't do anything about it. Our government won't do anything about it. I think redirecting people to malware is just a blatant "fuck you, we don't care and you can't make us" response. Seriously, you have no effective recourse. Write your firmly-worded e-mail to the FCC, pay your taxes, and shut the fuck up peon.

    • (Score: 0) by Anonymous Coward on Saturday October 14 2017, @05:05PM

      by Anonymous Coward on Saturday October 14 2017, @05:05PM (#582336)

      Don't worry pal I have it on the highest authority that the swamp will be swiftly drained!

  • (Score: 5, Interesting) by fritsd on Saturday October 14 2017, @02:17PM (1 child)

    by fritsd (4586) on Saturday October 14 2017, @02:17PM (#582277) Journal

    (...) both hosted fireclick.js, a JavaScript file that appears to invoke the service serving the malicious content.
    When called, fireclick.js pulls content from a long chain of pages, (...)

    One question:

    Why?

    What is the purpose to make a user download your JavaScript code from some third party? Wouldn't you want to keep control of what your website customers get served???

    Genuine question; I don't understand the reason behind this.

    • (Score: 4, Informative) by tibman on Saturday October 14 2017, @05:35PM

      by tibman (134) Subscriber Badge on Saturday October 14 2017, @05:35PM (#582346)

      I usually see it with 3rd-party services. A small business wants to add a live help chat thing to their website but they don't know how to do it. They pay another company for the service which is delivered like a turn-key solution. "Add this snippet of js to your website."

      Large companies have a similar issue in that they don't know how to do anything because they continue to outsource every technical job.

      --
      SN won't survive on lurkers alone. Write comments.
(1)