‘Equifax site helped spread malware’ – update

The Equifax site appears to have spent several hours serving malware to its users. An ‘independent security researcher’ received a pop-up with a redirect to a fake Flash update notification.

Ars Technica describes how Randy Abrams visited the Equifax website on Wednesday to see what he claims may be incorrect information about his credit records. On three occasions, he is said to have been directed to the external site centerbluray.info, where he received a notification with an Adobe Flash update. In reality, a click on the update installed a file called MediaDownloaderIron.exe, which contained the malware Adware.Eorezo. This causes unsolicited advertisements in Internet Explorer.

The crapware is currently recognized by only three antivirus companies: Panda, Symantec, and Webroot. Malwarebytes recognizes the centerbluray site as a malware distributing site. If indeed malware was spread through the Equifax site, that would be another embarrassment for the lender. Attackers recently broke into the company’s servers and stole sensitive data from more than 140 million Americans and more than 15 million Britons.

It is unknown how the site caused the redirects, but there is also a possibility that it is a local problem at Abrams. The “independent security researcher” gives few details about his discovery. From the accompanying video and screenshots it can only be concluded that he was using Internet Explorer.

Update, Friday 09.50: According to Malwarebytes, the malvertising took place via a third-party script on Equifax’s site, the Fireclick company, which specializes in web analytics. That script loaded a URL from an Akamaicontent delivery network, which in turn fetched content from ostats.net via the sitestats.info domain. The redirects to malware and adware would take place via the latter domain.