Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
The Internet Businesses Security

Not Just Equifax. Rival Site Transunion Served Malware Too -- and 1,000 More Sites (arstechnica.com) 68

An anonymous reader quotes Ars Technica: Equifax isn't the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, [was] also sending visitors to the fraudulent updates and other types of malicious pages... Malwarebytes security researcher Jerome Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins... "This is not something users want to have," Segura told Ars...

Equifax on Thursday was quick to say that its systems were never compromised in the attacks. TransUnion said much the same thing. This is an important distinction in some respects because it means that the redirections weren't the result of attackers having access to restricted parts of either company's networks. At the same time, the incidents show that visitors to both sites remain much more vulnerable to malicious content than they should be.

Both sites hosted fireclick.js, an old script from a small web analytics company which pulls pages from sites like Akamai, SiteStats.info, and Ostats.net. "It appears that attackers have compromised the third-party library," writes BankInfoSecurity, adding that Malwarebytes estimates over a 1,000 more sites are using the same library.
This discussion has been archived. No new comments can be posted.

Not Just Equifax. Rival Site Transunion Served Malware Too -- and 1,000 More Sites

Comments Filter:
  • by jargonburn ( 1950578 ) on Saturday October 14, 2017 @07:40PM (#55370429)
    Kill it! Kill it with fire!
    Seriously.
  • by gweihir ( 88907 ) on Saturday October 14, 2017 @07:48PM (#55370455)

    Noting surprising here. And unless these people get limited in their greed and stupidity by really unpleasant and, most important, personal consequences for the CEO when that happens, nothing will change. No, I am not talking about firing them. I am talking about them paying for the damage and, depending how extreme their failure, prison time.

    • by Anonymous Coward

      Yes, it's true, there's no penalty for incompetence, and until people start going to prison for their incompetence, nothing is going to change. But you're missing the bigger problem here, one that is running rampant across the Internet. I predicted this a long time ago.

      The Internet is now filled with thousands of middlemen. Ad networks, ad brokers, analytics companies, etc....... and websites are blindly pulling in Javacript from all these middlemen. All someone has to do is compromise one of these middle

      • by gweihir ( 88907 )

        I believe I do see the bigger problem. If you pull in stuff from middlemen, then it is _your_ responsibility to make sure it is safe. I fully agree on your last sentence.

        Of course, this is within reason. A food-store, for example, does not need to test anything it sells for poison. They can reasonably expect the food they get delivered from suppliers is clean, unless they get notified otherwise. The same is currently not true for anything you pull into your site from a 3rd party.

    • This.

      NOTHING will change until litigation kicks in.

      • This.

        NOTHING will change until litigation kicks in.

        HA! Good luck buddy. I read Trans-Union makes $233 million a year from these adnetworks. You think they will sit and take this or fight out tooth and nail!

        We have a political party who feels any regulation === communism and we will turn into Venezuela if we secure people quite literally! Diane Feinstein who is the leader of the other party is based in Silicon Valley.

        You think Silicon Valley who makes up her district which makes money off these slimy ad networks and supplies her with voters and millions of c

        • Your remarks address issues other than legal.

          "Those who don't learn from history are bound to repeat it. Those who do learn are bound to predict it." ~ © 2017 CaptainDork

          For a template of what's to come, look at fire codes.

          We did not have those until a critical number of people died.

          We are on a similar trajectory for data security.

          "Enough is enough and more than enough is too late." ~ © 2017 CaptainDork

          When "All your base are belong to us," litigation will kick in.

          So it is written, so let it be do

          • Quoting yourself is the first listing in "how to detect a douche"
          • by gweihir ( 88907 )

            Indeed. People do stupid things until something really important breaks. Then some measures are put in place, these days usually via liability. Then more important things break. Then some better measures are put in place. Repeat until breaking of important things gets rare enough that people forget (Tchernobyl...Fuckushima: 25 years).

            Those who do learn are a small minority and usually ignored, see also the story of Kassandra. All others usually need several catastrophes to get a glimmer of insight that thin

    • by Anonymous Coward

      They can't get prison time because any of their assets becomes evidence since you have to have a trial first. The 1% use credit too, if you catch my meaning. So, they'll just scapegoat until people stop caring instead.

    • by Khyber ( 864651 )

      "personal consequences for the CEO "

      Fuck that, personal consequences for all of the shareholders. This is THEIR property. If their property causes damage to other people, they're on the fucking hook.

  • by Billly Gates ( 198444 ) on Saturday October 14, 2017 @07:58PM (#55370483) Journal

    Each site freaking horrible 20+ ad networks, brokers, analytics, and marketing networks middleman who are the ones being compromised. It is the fireclick.js which directs data from somewhere that uses data from somewhere which then piggybacks from somewhere else until BAM the malware JS gets executed and the pop up appears.

    This system is totally unacceptable and retarded! All it takes if you use 20 different ad networks with ad brokers gettings things from the highest bidder is JUST ONE compromised or malicious player and the the trust is done.

    Looking at the rest of the site (I am not a web architect but others reading this post who are please reply) show some red flags. Curl shows it uses IIS 7.5 which went EOL in 2015! No COR headers so cross domain shit can be run from anywhere from the network of players, and no forcing HTTPS to prevent snooping in a man in the middle attack.

    This is why we run adblockers. And website owners have the gullibility to call us thieves for doing so. I mean even the bad SSL certificates have trusts in a chain. There is no trust when anyone can insert themselves in without encryption.

    We need a better solution from the IEEE or W3C or something to address the problem.

    • by Scutter ( 18425 ) on Saturday October 14, 2017 @08:21PM (#55370555) Journal

      If it's your website, you are responsible for the ad content you serve on it. This ridiculous "pass the buck" ecosystem that we've allowed to be created is the problem. End users who get infected by a bad site are told "Oh, gee, well I guess you should just use an antivirus. Also, pretty please turn off your ad blocker so we can make a little money to keep the site running for you?". The end user has no way of knowing who the ad network is, nor do they have any way to hold that network responsible.

      No, this is ABSOLUTELY Equifax and Transunion's fault. THEY are serving bad ads on their site. THEY are the ones who contracted with companies with terrible security. THEY are the ones inserting that bad security into their web site. THEY are responsible for any breaches as a result of that negligence. It's time to stop allowing these sites to keep getting away with this behavior over and over.

      • If it's your website, you are responsible for the ad content you serve on it. This ridiculous "pass the buck" ecosystem that we've allowed to be created is the problem. End users who get infected by a bad site are told "Oh, gee, well I guess you should just use an antivirus. Also, pretty please turn off your ad blocker so we can make a little money to keep the site running for you?". The end user has no way of knowing who the ad network is, nor do they have any way to hold that network responsible.

        No, this is ABSOLUTELY Equifax and Transunion's fault. THEY are serving bad ads on their site. THEY are the ones who contracted with companies with terrible security. THEY are the ones inserting that bad security into their web site. THEY are responsible for any breaches as a result of that negligence. It's time to stop allowing these sites to keep getting away with this behavior over and over.

        They are a for profit company. A comment in the parent URL mentioned they make $233,000,000 a year in ads. That is alot of cash. They can't just say no. The shareholders have a right to demand a return and not make their website for free as it costs money to produce and Trans-Union has a fiduciary responsibility .

        Who they outsource with has no control who they outsource with and they bid with another sourcer and so on. It's impossible to keep track and secure.

        • by Scutter ( 18425 )

          Are you actually saying that it's not their fault because A) the ads make them money, and B) the contracts are too hard to understand? Is that really what you are claiming? Because that is laughable at best and moronically idiotic at worst.

          • Are you actually saying that it's not their fault because A) the ads make them money, and B) the contracts are too hard to understand? Is that really what you are claiming? Because that is laughable at best and moronically idiotic at worst.

            No. What I am saying basically is the CEO can't turn off the adnetworks as he would be fired immediately. What we have in my other post is a broken system that even if you sign such a contract with an ad network it is still out of their control as they outsource to someone and so forth. I am sure they have clauses in these to prevent them from being sued due to incompetence down the chain.

            We need to verify the identity similar to how DNS is being used to prevent spam/phising in Email with DKIM keys in the D

            • No. The solution is that there should be such backlash and such bad press from advertising on sites for high profit companies centered around highly sensitive information, like Equifax and Transunion, or sites which contain HIPAA protected information, etc., that risking malvertising should result in the immediate firing of a CEO, CIO and CTO.

              They should not be forgiven for this. Forgiving them only encourages negligence in the name of profit. What benefit is it to the consumer to have their data and per
              • No. The solution is that there should be such backlash and such bad press from advertising on sites for high profit companies centered around highly sensitive information, like Equifax and Transunion, or sites which contain HIPAA protected information, etc., that risking malvertising should result in the immediate firing of a CEO, CIO and CTO.

                They should not be forgiven for this. Forgiving them only encourages negligence in the name of profit. What benefit is it to the consumer to have their data and personal computer put at unnecessary risk? What benefit is there to the economy to increase the amount of micromanagement required of every citizen?

                You can't change human nature my friend. Money talks shit walks is an old 1980s saying that rings so true. Greed wins everytime throughout history and is part of our human psyche. Even if you make a new HIPAA act you still have the problem of the rest of the web including the 1,000 other sites.

                Website owners have a right to want to be paid and not host things for free. The solution should be a safe way to do this and an organization like we do with SSL certificates monitor it. I still will use an ad blocker

      • If it's your website, you are responsible for the ad content you serve on it.

        Instant google monopoly. Who else can you trust to serve ads?

    • by Fly Swatter ( 30498 ) on Saturday October 14, 2017 @08:22PM (#55370557) Homepage
      Companies whose job is to secure the data of an entire nation should have an extreme case of NIH Syndrome. Sadly now its all copy-paste third party junk that no one can really trust.
  • by Anonymous Coward

    You should never do that on your website.

    By using third-party javascript, you are giving control of your users' web browsing to that third party.

    If any of those third parties are compromised, your users suffer.

    Not to mention it's slow and annoying for all those scripts to run.

  • Put these in hosts as blocked:

    0.0.0.0 aa.econsumer.equifax.com
    0.0.0.0 econsumer.equifax.com
    0.0.0.0 equifax.com
    0.0.0.0 ostats.net
    0.0.0.0 webhostinghub.com
    0.0.0.0 usa.quebec-lea.com
    0.0.0.0 usa.zerodirect6.com
    0.0.0.0 cdn.centerbluray.info
    0.0.0.0 quebec-lea.com
    0.0.0.0 zerodirect6.com
    0.0.0.0 centerbluray.info
    0.0.0.0 transunioncentroamerica.com
    0.0.0.0 a248.e.akamai.net
    0.0.0.0 e.akamai.net
    0.0.0.0 akamai.net
    0.0.0.0 snap.sitestats.info
    0.0.0.0 itechnews.org
    0.0.0.0 usd.quebec-lea.com
    0.0.0.0 usd.zerodirect6.com
    0.0.0.0

  • Fuck you. You get sued out of existence. Your CXX suite gets sued out of existence (that is, everything you have. Houses, 401ks, whatever). Your board of directors gets sued out of existence.

    . Lets be honest. These hacks happen because Those In Charge can't be bothered with security. So, if their lack of attention can throw the rest of my life into the shitter, then their lives also go into the shitter.
  • by chromaexcursion ( 2047080 ) on Saturday October 14, 2017 @09:05PM (#55370685)
    If you need to have a secure site you can't use cross links.
    Anything financial needs to have a secure site.
    These "business" decisions are penny wise, pound foolish.
    How many more CEOs have to resign in disgrace for the idiots to catch on?
    • Golden Parachutes and old-boy networks ensure that occasional resignations are irrelevant.

      Get credit on a blockchain if you want to get on with things - otherwise these people will just take a stock beating and get propped up with government bailouts (courtesy of the very people they have harmed). The whole thing is a systematic abusive relationship.

    • by Mitreya ( 579078 )

      How many more CEOs have to resign in disgrace for the idiots to catch on?

      At least one -- but that CEO has to not get a large bonus + severance package on the way out.

I use technology in order to hate it more properly. -- Nam June Paik

Working...