Below, you can see the redirection sequence chain captured by RiskIQ showing the redirect from the compromised Equifax page to the one serving the Flash update:
This related PassiveTotal query showing redirections for the ostats[.]net domain: https://community.riskiq.com/search/ostats.net
In the malvertising chain above, several hosts are used to redirect the user from website to website until they land on the final page delivering the malicious flash download, cdn.centerbluray.info. Fortunately, RiskIQ virtual user technology was able to capture each one of these redirections including dependent requests, page content and header information, and save them within the database:
Lost Referrer attempts to scrub the true source of the traffic. Hackers may be attempting to protect the vulnerable server or fraudulently mark the source of the traffic as their site ( 1freewebhosting.org ):
Redirection chains like this are typical for actors who hijack traffic as each visit gains them potential click profit. What’s notable about these types of attacks is that they seldom impact just one web property and instead, affect whoever is using the third-party web component. While Equifax was indeed caught in this mess, they are not the only ones.
Data from the RiskIQ crawlers is exposed within PassiveTotal under our “host pairs” tab. In viewing ostats.net, it’s clear to see that several other legitimate websites including Equifax are redirecting through this redirection chain. Unfortunately, attacks like this are all too common online and often go unnoticed unless it’s a major brand. It’s important for organizations to realize the risk in 3rd-party code and truly understand their externally facing digital footprint; without visibility, anyone could easily become the next Equifax of the week.
Parent Host Pairs show other sites affected by this redirection attack campaign:
How Does RiskIQ Help?
We recognize the difficulty in detecting these types of attacks, that’s why we built technology to address this challenge. For years, RiskIQ has been the leader in Digital Threat Management and has always taken the position of you can’t defend what you don’t know about. Leveraging virtual users, globally placed sensors, and regular Internet scans, RiskIQ builds an accurate inventory of all your externally facing assets and continuously monitors them for threats or compliance issues.
In this particular case, RiskIQ customers who use our Digital Footprint product would have been alerted to malicious activity on one of their sites via a malware event. These events are detailed and include full crawl details, enrichment data, and context around the suspicious event. Being alerted to a compromise in near real-time means affords our customers the ability to take action quickly.
The infrastructure used in this attack will remain blacklisted within RiskIQ products until our virtual users stop identifying malicious behavior. For those within our community products, we’ve made this information available through those portals in the form of a tag and public project that includes a complete list of network indicators associated with this campaign.