In May credit reporting service Equifax's website was breached by المهاجمين الذين خرجوا في نهاية المطاف مع أرقام الضمان الاجتماعي ، وأسماء ، وكمية هائلة من التفاصيل الأخرى for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.
راندي أبرامز ، محلل مستقل للأمن في اليوم ، حدث لزيارة الموقع مساء الأربعاء لخوض ما قاله بأنه معلومات زائفة وجدها للتو في تقريره الائتماني. في النهاية ، فتح متصفحه صفحة على النطاق hxxp: centerbluray.info التي بدت كما يلي:
كان مفهوما بشكل لا يصدق. كان الموقع الذي تخلى في السابق عن بيانات شخصية لكل شخص تقريبًا في الولايات المتحدة لديه تاريخ ائتماني مرة أخرى تحت سيطرة المهاجمين ، هذه المرة يحاول خداع زوار Equifax لتركيب برامج Crapware Symantec. Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.
Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screen shot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same centerbluray.info page.
The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults.com
In the hour this post was being reported and written, Abrams was unable to reproduce the redirects leading to the malicious download. It's possible Equifax has cleaned up its site. It's also possible the attackers have shut down for the night and have the ability to return at will to visit still worse misfortunes on visitors. Equifax representatives didn't respond to an e-mail that included a link to the video and sought comment for this post.