Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com)

Posted by msmash on from the fool-me-once dept.

For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.

7 of 150 comments (clear)

  1. This may not have been Equifax by ebrandsberg · · Score: 4, Interesting

    This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing

    1. Re:This may not have been Equifax by Dutch+Gun · · Score: 4, Interesting

      Equifax was responsible for setting up a separate website to deal with this hack. Doing so increased the likelihood of stuff like this happening (which it has, apparently *twice* now). So, even if this "wasn't Equifax", I'm still going to blame them for failing web security fundamentals.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Incompetence... by rnturn · · Score: 4, Interesting

    At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.

    How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?

    --
    CUR ALLOC 20195.....5804M
  3. Re:Why is this even possible? by Anonymous Coward · · Score: 2, Interesting

    The CEO isn't at large. He was dismissed . . . with tens of millions of dollars. Remember, in the USA, corporations are people. They have all the rights, and none of the responsibilities.

  4. I'm shocked by DontBeAMoran · · Score: 4, Interesting

    I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?

    --
    #DeleteFacebook
  5. Completely and totally INCOMPETENT! by Rick+Schumann · · Score: 3, Interesting

    My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!

    So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?

    Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.

  6. Re:Incompetence is not a valid excuse by Anonymous Coward · · Score: 2, Interesting

    Medicine is easily as if not more complex than IT security

    You have no idea what the nature of infosec is. The way the human body operates doesn't change weekly. There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die. In IT, it's weekly patches or you are fucked. It's relearn how it works over and over and over your whole career. Penicilin still works at least some of the time. Nothing from infosec lasts a tenth as long. There is no sitting still with technology.

    And that does not even begin to tackle the largest, most advanced technological wonder the world has ever seen with more endpoints than the human brain each with more connections than the human brain: the internet.