Wednesday, October 11, 2017

New Equifax Website Compromise

Update: Third party analysis tends to indicates something that is conceptually the same as malvertising. Watch the video and replace Equifax with your favorite website. It happens every day throughout the world. Now it's a security training video.

I like Equifax more than Experian. TrustedID gave me the heads up that Experian had falsified personal information in my file. After verifying that Experian did in fact falsify the data (it was due to incompetence and apathy) I decided to see if the misinformation had propagated to Equifax. As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens.



For all of you voyeurs...

Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.
 
I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines “deplaning” a passenger... It hurts.
 
And once again Equifax, all I want from you are my credit scores. Please?

Independent Security Analyst



12 comments:

  1. Has this been reported to Google so they can scan the site and potentially put warnings in the search results? https://safebrowsing.google.com/safebrowsing/report_badware/

    ReplyDelete
    Replies
    1. Fair question. Nope. I'm not sure if safe-browsing blocked it or not. The information was shared widely in the anti-malware community on a closed list. The redirected URLs were submitted to VirusTotal. Yep, mea culpa, I should have remembered to do that too

      Delete
  2. Do NOT watch the video above. After viewing I immediately starting receiving a lot of spam email. Did a quick system restore and virus scan to make sure my PC was back to normal.

    ReplyDelete
    Replies
    1. Clearly you have something else going on which caused your issues. Nothing on this site or video looks suspicious.

      Delete
  3. I am not seeng any other such reports and while virtually nothing is impossible, it is beyond improbable. This vieo was created on my computer and is a valid WMV. This video was uploaded from my computer and is not linked to YouTube or any other site, other than where Google may store it. Having uploaded it to VirusTotal and viewing the additional file details it is safe to say the format is valid. I think you have the wrong culprit. I chose to publish your comment because if someone else is nervous about it then I will not advise against be paranoid... sometimes your paranoia may save you. I recommend you don't stop your investigation at this point though.

    ReplyDelete
  4. No video issues here. Nice work old PRS buddy.

    ReplyDelete
    Replies
    1. Thanks David! It's a sad state of affairs now a days. Remember when malware at least said "I Love You" before infecting your computer

      Delete
  5. Hi Randy, do you happen to have a cache of the html of the problematic page at the time of infection? I am interested in doing further research.

    ReplyDelete
  6. Did you notice it switched from HTTPS to HTTP once you click on the link? That a major red flag.

    ReplyDelete
    Replies
    1. I did see that, but not immediately. I was busy replicating the issue and then recording it. I think you will have to agree that the actual Flash graphic was a much more conspicuous "red flag" :-)
      I didn't look at whether or not it was http or https because in this specific case it was not relevant to me. When it is used as a training example to help other to be safer on the Internet. Then it matters a lot to me. Please use the video to help people be safer. When I have time I will make it available for download.

      Delete
  7. Also suspicious: If you pause it at 0:07, you see an IE notification pop-up stating "Internet Explorer has finished deleting the selected browing history."

    That makes me wonder if the same would have happened if you used a different browser.

    ReplyDelete