{"id":9869,"date":"2017-10-13T09:10:04","date_gmt":"2017-10-13T17:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/13\/news-3642\/"},"modified":"2017-10-13T09:10:04","modified_gmt":"2017-10-13T17:10:04","slug":"news-3642","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/13\/news-3642\/","title":{"rendered":"Malvertising on Equifax, TransUnion tied to third party script (updated)"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 12 Oct 2017 21:42:28 +0000<\/strong><\/p>\n

Update (09-13-2017)<\/strong>: Ars is reporting<\/a> that TransUnion identified and mitigated the issue as per the following statement:<\/p>\n

“TransUnion is aware that our Central America website was temporarily redirecting users to download malicious software. The issue has been fixed and we are scanning our other websites. TransUnion has not identified any unauthorized access to its systems as a result of this issue.”<\/em><\/p>\n

– –
Dan Goodin reported<\/a> on Ars Technica that the Equifax website was involved in yet another kerfuffle, this time pushing a fake Flash Player. Looking at the YouTube video<\/a>\u00a0(captured by security researcher\u00a0Randy Abrams<\/a>)\u00a0frame by frame, we were able to retrace some of this malvertising chain.<\/p>\n

aa.econsumer.equifax.com (Equifax)   -> ostats.net    -> webhostingshub.com     -> usa.quebec-lea.com      -> usa.zeroredirect6.com       -> cdn.centerbluray.info (fake Flash)<\/pre>\n
For those tracking malvertising, this is a very familiar sequence. However, a question remained as to how we got to the ostats[.]net<\/em> URL. Dan Goodin shared a link<\/a> about a possible culprit, namely a third-party library which would have been loaded from:<\/p>\n
https:\/\/aa.econsumer.equifax.com\/aad\/uib\/js\/fireclick.js<\/strong><\/pre>\n
Since Equifax pulled that site down, it was not possible to identify what that script exactly did. However, a quick search for other websites that were using it returned\u2014surprisingly\u2014another consumer reporting credit agency, namely TransUnion<\/a> and their Central America website.<\/p>\n
\"\"<\/a><\/p>\n
By visiting transunioncentroamerica[.]com<\/em>, we were able to confirm that this fireclick.js<\/em> script was indeed part of this redirection chain.<\/p>\n
\"\"<\/a><\/p>\n
This chain ultimately leads to the fake Flash player.<\/p>\n
\"\"<\/a><\/p>\n
ostats[.]net<\/em> domain is performing all sorts of redirections, as seen in this RiskIQ’s PassiveTotal<\/a> search.<\/p>\n
\"\"<\/p>\n
During our tests we encountered fake surveys, Flash updates, and also a redirection to the RIG exploit kit.<\/p>\n
Third-party script<\/h3>\n
Fireclick<\/a> is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN.<\/p>\n
\"\"<\/p>\n
In turn, this loads content from another domain snap.sitestats[.]info.<\/em><\/p>\n
\"\"<\/a><\/p>\n
This eventually leads to ostats[.]net.<\/em><\/p>\n
\"\"<\/p>\n
Some other websites have the script embedded directly into their main page, and they also are involved in this malvertising campaign.<\/p>\n
\"\"<\/p>\n
We are still investigating the incident and will report any updates we find on this blog. In the meantime, Malwarebytes users are protected against malicious redirections from this attack.<\/p>\n
Indicators of compromise<\/h3>\n
10\/12\/2017 11:58:32 AM,GET,66.61.173.64,a248.e.akamai[.]net,CDN  10\/12\/2017 11:58:33 AM,POST,209.126.124.246,snap.sitestats[.]info,Stats site  10\/12\/2017 11:58:34 AM,GET,209.126.124.246,snap.sitestats[.]info,Stats site  10\/12\/2017 11:58:35 AM,GET,209.126.122.22,ostats[.]net,Redirector  10\/12\/2017 11:58:35 AM,GET,209.126.127.34,itechnews[.]org,Malvertising  10\/12\/2017 11:58:36 AM,GET,54.172.97.98,usd.quebec-lea[.]com,Malvertising  10\/12\/2017 11:58:36 AM,GET,54.172.97.98,usd.zeroredirect6[.]com,Malvertising  10\/12\/2017 11:58:37 AM,GET,34.194.20.115,www.temocycle[.]site,Malvertising  10\/12\/2017 11:58:37 AM,GET,35.163.98.253,www.theapplicationappmy23[.]download,Fake Flash site  10\/12\/2017 11:58:38 AM,GET,54.230.84.39,www.bestapps4ever161[.]download,Fake Flash site<\/pre>\n
Fake Flash player<\/p>\n
24dba15691e81192b76327046f34b2a51b0b460ab058dbb411cf02407ebae57f<\/pre>\n
The post Malvertising on Equifax, TransUnion tied to third party script (updated)<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 12 Oct 2017 21:42:28 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
We take a look at the the recent malvertising incident that happened on Equifax’s site and show how it also affected TransUnion.<\/p>\n
Categories: <\/p>\n