Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com)

Posted by msmash on from the fool-me-once dept.

For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.

8 of 150 comments (clear)

  1. id10t? by Anne+Thwacks · · Score: 4, Insightful
    A company shows a track record of failing to grasp the concept of security. Person visits said company's site, and finds malware infestation has a strong hold? Then does it again?

    Surely the definition of stupidity is when you keep on doing the same thing and expect different results?

    to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.

    THIS MEANS YOU!

    --
    Sent from my ASR33 using ASCII
  2. 2020 can't get here soon enough by phalse+phace · · Score: 4, Insightful

    Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.

  3. Why is this even possible? by Opportunist · · Score: 4, Insightful

    Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?

    And why is that CEO still at large?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Wow by jellomizer · · Score: 5, Insightful

    The problems is that we have little say on the data that Equafax has on us. It is not like we went to Equafax and gave them the info, they had been collecting it for years without our direct permission.

    In short Equafax just screwed everyone, and to be joyous about this hack, even if it were to put them out of business, is like celebrating the crook going to jail, after he had burned down your home and lost everything. You are still suffering, even if justice was served.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. If corporations are people... by sinij · · Score: 3, Insightful

    If corporations are people, it is time to jail Equifax.

  6. Re:Wow by TheRaven64 · · Score: 4, Insightful

    The one good thing that might happen is consumers wake up to the problems of allowing large-scale data collection and push for tighter regulations on companies that engage in this kind of behaviour.

    --
    I am TheRaven on Soylent News
  7. Re:Wow by jellomizer · · Score: 4, Insightful

    The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business. Also it could send a wrong chilling effect, where now most companies are trying really hard to secure their systems from many different methods, to just doing what is legally stated, thus creating more problems.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  8. Incompetence is not a valid excuse by sjbe · · Score: 5, Insightful

    The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business.

    Claiming that a problem is complex is not a valid excuse for doing the job incompetently such that it results in harm to others. If you cannot manage sensitive data safely then you either need to exit the business or step your game up. They do not get a free pass just because it's a hard problem. If the security problem is that hard that they need government indemnification then they DEFINITELY need to be regulated. Medicine is easily as if not more complex than IT security and yet doctors are held liable for malpractice and are highly regulated. I see no reason why ITprofessionals should be held to a lesser standard of care if they want to manage sensitive data like credit histories or medical records.

    Regulations don't have to specify specific technology or tactics. They just have to specify that they have to keep the data secure, what secure means, and outline punishments for failure to do so. If they cannot handle the risk then don't get into the business.