{"id":9848,"date":"2017-10-12T15:10:06","date_gmt":"2017-10-12T23:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/12\/news-3621\/"},"modified":"2017-10-12T15:10:06","modified_gmt":"2017-10-12T23:10:06","slug":"news-3621","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/12\/news-3621\/","title":{"rendered":"Equifax, TransUnion websites push fake Flash Player in malvertising campaign"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 12 Oct 2017 21:42:28 +0000<\/strong><\/p>\n

Dan Goodin reported<\/a> on Ars Technica that the Equifax website was involved in yet another kerfuffle, this time pushing a fake Flash Player. Looking at the YouTube video<\/a> of this incident frame by frame, we were able to retrace some of this malvertising chain.<\/p>\n

aa.econsumer.equifax.com (Equifax)   -> ostats.net    -> webhostingshub.com     -> usa.quebec-lea.com      -> usa.zeroredirect6.com       -> cdn.centerbluray.info (fake Flash)<\/pre>\n
For those tracking malvertising, this is a very familiar scenario. However, a question remained as to how we got to the ostats[.]net<\/em> URL. Dan Goodin shared a link<\/a> about a possible culprit, namely a third-party library which would have been loaded from:<\/p>\n
https:\/\/aa.econsumer.equifax.com\/aad\/uib\/js\/fireclick.js<\/pre>\n
Since Equifax pulled that site down, it was not possible to identify what that script exactly did. However, a quick search for other websites that were using it returned\u2014surprisingly\u2014another consumer reporting credit agency, namely TransUnion<\/a> and their Central America website.<\/p>\n
\"\"<\/a><\/p>\n
By visiting transunioncentroamerica[.]com<\/em>, we were able to confirm that this fireclick.js<\/em> script was indeed part of this redirection chain.<\/p>\n
\"\"<\/a><\/p>\n
This chain ultimately leads to the fake Flash player.<\/p>\n
\"\"<\/a><\/p>\n
ostats[.]net<\/em> domain is performing all sorts of redirections, as seen in this RiskIQ’s PassiveTotal<\/a> search.<\/p>\n
\"\"<\/p>\n
During our tests we encountered fake surveys, Flash updates, and also a redirection to the RIG exploit kit.<\/p>\n
Third-party script<\/h3>\n
Fireclick<\/a> is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN.<\/p>\n
\"\"<\/p>\n
In turn, this loads content from another domain snap.sitestats[.]info.<\/em><\/p>\n
\"\"<\/a><\/p>\n
This eventually leads to ostats[.]net.<\/em><\/p>\n
\"\"<\/p>\n
Some other websites have the script embedded directly into their main page, and they also are involved in this malvertising campaign.<\/p>\n
\"\"<\/p>\n
We are still investigating the incident and will report any updates we find on this blog. In the meantime, Malwarebytes users are protected against malicious redirections from this attack.<\/p>\n
Indicators of compromise<\/h3>\n
10\/12\/2017 11:58:32 AM,GET,66.61.173.64,a248.e.akamai[.]net,CDN  10\/12\/2017 11:58:33 AM,POST,209.126.124.246,snap.sitestats[.]info,Stats site  10\/12\/2017 11:58:34 AM,GET,209.126.124.246,snap.sitestats[.]info,Stats site  10\/12\/2017 11:58:35 AM,GET,209.126.122.22,ostats[.]net,Redirector  10\/12\/2017 11:58:35 AM,GET,209.126.127.34,itechnews[.]org,Malvertising  10\/12\/2017 11:58:36 AM,GET,54.172.97.98,usd.quebec-lea[.]com,Malvertising  10\/12\/2017 11:58:36 AM,GET,54.172.97.98,usd.zeroredirect6[.]com,Malvertising  10\/12\/2017 11:58:37 AM,GET,34.194.20.115,www.temocycle[.]site,Malvertising  10\/12\/2017 11:58:37 AM,GET,35.163.98.253,www.theapplicationappmy23[.]download,Fake Flash site  10\/12\/2017 11:58:38 AM,GET,54.230.84.39,www.bestapps4ever161[.]download,Fake Flash site<\/pre>\n
Fake Flash player<\/p>\n
24dba15691e81192b76327046f34b2a51b0b460ab058dbb411cf02407ebae57f<\/pre>\n
The post Equifax, TransUnion websites push fake Flash Player in malvertising campaign<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 12 Oct 2017 21:42:28 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Equifax’s website is once again infected, this time with malvertising that redirects to a fake Flash player. Further investigation reveals TransUnion was also targeted.<\/p>\n
Categories: <\/p>\n