Third-Party Hack Leads to Compromised Equifax Site Serving Fake Flash Install

Third-Party Code Hack Leads to Compromised Equifax Site Serving Fake Flash Install

October 16, 2017, Brandon Dixon

mm

As perimeter security gets stronger, threat actors look for softer entry points into an organization’s network. Often, third-party components such as Javascript, which can be changed and compromised downstream without the knowledge of the site owner, are the perfect inroad.

ArsTechnica reported that on October 12, an Equifax website was compromised, redirecting visitors to a site that downloads a fake Adobe flash application. Investigators determined that the cause of the malicious redirect sequence could be attributed to Fireclick Media, a piece of third-party javascript on the site that provides analytics services. Once Fireclick was compromised, each of the sites downstream became suspect.

Below, you can see the redirection sequence chain captured by RiskIQ showing the redirect from the compromised Equifax page to the one serving the Flash update:

Due to third-party javascript upstream, an Equifax website was compromised, redirecting visitors to a site that downloads a fake Adobe flash application.

Fig-1 The malvertising sequence detected by RiskIQ

This related PassiveTotal query showing redirections for the ostats[.]net domain: https://community.riskiq.com/search/ostats.net

In the malvertising chain above, several hosts are used to redirect the user from website to website until they land on the final page delivering the malicious flash download, cdn.centerbluray.info. Fortunately, RiskIQ virtual user technology was able to capture each one of these redirections including dependent requests, page content and header information, and save them within the database:

Due to third-party javascript upstream, an Equifax website was compromised, redirecting visitors to a site that downloads a fake Adobe flash application.

Fig-2 Each redirection captured by RiskIQ

Lost Referrer attempts to scrub the true source of the traffic. Hackers may be attempting to protect the vulnerable server or fraudulently mark the source of the traffic as their site ( 1freewebhosting.org ):

Due to third-party javascript upstream, an Equifax website was compromised, redirecting visitors to a site that downloads a fake Adobe flash application.

Fig-3 Lost Referrer

Redirection chains like this are typical for actors who hijack traffic as each visit gains them potential click profit. What’s notable about these types of attacks is that they seldom impact just one web property and instead, affect whoever is using the third-party web component. While Equifax was indeed caught in this mess, they are not the only ones.

Data from the RiskIQ crawlers is exposed within PassiveTotal under our “host pairs” tab. In viewing ostats.net, it’s clear to see that several other legitimate websites including Equifax are redirecting through this redirection chain. Unfortunately, attacks like this are all too common online and often go unnoticed unless it’s a major brand. It’s important for organizations to realize the risk in 3rd-party code and truly understand their externally facing digital footprint; without visibility, anyone could easily become the next Equifax of the week.

Parent Host Pairs show other sites affected by this redirection attack campaign:

Due to third-party javascript upstream, an Equifax website was compromised, redirecting visitors to a site that downloads a fake Adobe flash application.

Fig-4 Other sites affected by this campaign

How Does RiskIQ Help?

We recognize the difficulty in detecting these types of attacks, that’s why we built technology to address this challenge. For years, RiskIQ has been the leader in Digital Threat Management and has always taken the position of you can’t defend what you don’t know about. Leveraging virtual users, globally placed sensors, and regular Internet scans, RiskIQ builds an accurate inventory of all your externally facing assets and continuously monitors them for threats or compliance issues.

In this particular case, RiskIQ customers who use our Digital Footprint product would have been alerted to malicious activity on one of their sites via a malware event. These events are detailed and include full crawl details, enrichment data, and context around the suspicious event. Being alerted to a compromise in near real-time means affords our customers the ability to take action quickly.

The infrastructure used in this attack will remain blacklisted within RiskIQ products until our virtual users stop identifying malicious behavior. For those within our community products, we’ve made this information available through those portals in the form of a tag and public project that includes a complete list of network indicators associated with this campaign.

Share: