As you may remember, in May 2017 Equifax, a provider of consumer credit reports, said it experienced a data breach affecting over 140 million US consumers after hackers exploited a vulnerability on its website. That’s about 44 % of the US population! The data exposed in the hack included names, Social Security numbers, birth dates, addresses, and, in some cases even driver license numbers. Unfortunately, this wasn’t the last time Equifax’s website was breached. The site was maliciously manipulated last week, this time to deliver fraudulent Adobe Flash updates. Visitors who clicked the link had their computers infected with adware, which only three out of 65 antivirus providers managed to detect.
If you come to think of it, this is really worrying; the site which previously lost personal data of so many US citizens with a credit history was once again attacked, this time to trick visitors into installing malware, called by Symantec Adware.Eorezo. Usually, in order to avoid being caught, attackers provide malicious downloads only once to just a select number of people. Surprisingly, this time the bogus Flash download links were served to the same visitor at least three times in a row. The Equifax site was redirecting users to the centerbluray.info page which delivered MediaDownloaderIron.exe file. Sometimes browser was redirected to at least four domains before finally opening the Flash download file.
Unfortunately, only Panda, Symantec, and Webroot were able to detect the file as adware. Luckily for our customers Webroot is part of our Managed Services Provider package, so we know we keep you safe. Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults.com.
It’s not yet clear how the Flash download page got displayed. Researcher Kevin Beaumont in his twit suggested that Equifax was working with a third-party ad network or analytics provider that’s responsible for the redirects. This could mean that the breach isn’t on the Equifax site and may be affecting other websites as well.