1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Welcome to iHelpForum - the place to get help from knowledgeable techs in all areas of Tech, Home and Auto help. Consider checking out our Guides or Registering an account to post on our forums today.

    Dismiss Notice

Equifax, TransUnion websites push fake Flash Player in malvertising campaign

Discussion in 'Tech News' started by News Hound, Oct 12, 2017.

  1. News Hound

    News Hound I Get The News...

    Joined:
    May 4, 2014
    Messages:
    38,515
    Likes Received:
    8
    Trophy Points:
    1
    Dan Goodin reported on Ars Technica that the Equifax website was involved in yet another kerfuffle, this time pushing a fake Flash Player. Looking at the YouTube video of this incident frame by frame, we were able to retrace some of this malvertising chain.

    aa.econsumer.equifax.com (Equifax)
    -> ostats.net
    -> webhostingshub.com
    -> usa.quebec-lea.com
    -> usa.zeroredirect6.com
    -> cdn.centerbluray.info (fake Flash)

    For those tracking malvertising, this is a very familiar sequence. However, a question remained as to how we got to the ostats[.]net URL. Dan Goodin shared a link about a possible culprit, namely a third-party library which would have been loaded from:

    https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

    Since Equifax pulled that site down, it was not possible to identify what that script exactly did. However, a quick search for other websites that were using it returned—surprisingly—another consumer reporting credit agency, namely TransUnion and their Central America website.

    [​IMG]

    By visiting transunioncentroamerica[.]com, we were able to confirm that this fireclick.js script was indeed part of this redirection chain.

    [​IMG]

    This chain ultimately leads to the fake Flash player.

    [​IMG]

    ostats[.]net domain is performing all sorts of redirections, as seen in this RiskIQ’s PassiveTotal search.

    [​IMG]

    During our tests we encountered fake surveys, Flash updates, and also a redirection to the RIG exploit kit.

    Third-party script


    Fireclick is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN.

    [​IMG]

    In turn, this loads content from another domain snap.sitestats[.]info.

    [​IMG]

    This eventually leads to ostats[.]net.

    [​IMG]

    Some other websites have the script embedded directly into their main page, and they also are involved in this malvertising campaign.

    [​IMG]

    We are still investigating the incident and will report any updates we find on this blog. In the meantime, Malwarebytes users are protected against malicious redirections from this attack.

    Indicators of compromise


    10/12/2017 11:58:32 AM,GET,66.61.173.64,a248.e.akamai[.]net,CDN
    10/12/2017 11:58:33 AM,POST,209.126.124.246,snap.sitestats[.]info,Stats site
    10/12/2017 11:58:34 AM,GET,209.126.124.246,snap.sitestats[.]info,Stats site
    10/12/2017 11:58:35 AM,GET,209.126.122.22,ostats[.]net,Redirector
    10/12/2017 11:58:35 AM,GET,209.126.127.34,itechnews[.]org,Malvertising
    10/12/2017 11:58:36 AM,GET,54.172.97.98,usd.quebec-lea[.]com,Malvertising
    10/12/2017 11:58:36 AM,GET,54.172.97.98,usd.zeroredirect6[.]com,Malvertising
    10/12/2017 11:58:37 AM,GET,34.194.20.115,www.temocycle[.]site,Malvertising
    10/12/2017 11:58:37 AM,GET,35.163.98.253,www.theapplicationappmy23[.]download,Fake Flash site
    10/12/2017 11:58:38 AM,GET,54.230.84.39,www.bestapps4ever161[.]download,Fake Flash site

    Fake Flash player

    24dba15691e81192b76327046f34b2a51b0b460ab058dbb411cf02407ebae57f

    The post Equifax, TransUnion websites push fake Flash Player in malvertising campaign appeared first on Malwarebytes Labs.

    Continue reading...
     
Loading...

Share This Page