Slashdot Mirror
Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com)
For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.
Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.
THIS MEANS YOU!
Sent from my ASR33 using ASCII
Is this the story that never ends?
I don't read AC
This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing
Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.
Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?
And why is that CEO still at large?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Once you pop the fun don't stop! This has been one hell of a fun ride so far... but when are people going to start being held accountable for this? And if any of us have bad credit, can we just say we got Equifaxed and get credit scott-free?
The problems is that we have little say on the data that Equafax has on us. It is not like we went to Equafax and gave them the info, they had been collecting it for years without our direct permission.
In short Equafax just screwed everyone, and to be joyous about this hack, even if it were to put them out of business, is like celebrating the crook going to jail, after he had burned down your home and lost everything. You are still suffering, even if justice was served.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
If corporations are people, it is time to jail Equifax.
At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?
CUR ALLOC 20195.....5804M
You people act as though Equifax is made of money that they can lavishly spend it on securing the highly sensitive financial data of consumers who never gave the company authority to collect and share it in the first place. Equifax only made $3.1 billion last year; they have a lot of wealthy shareholders and executives whose lifestyles depend on a high revenue to profit ratio.
Sure, Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company, but that could happen to anyone. /s
I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
#DeleteFacebook
My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!
So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?
Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.
The one good thing that might happen is consumers wake up to the problems of allowing large-scale data collection and push for tighter regulations on companies that engage in this kind of behaviour.
I am TheRaven on Soylent News
It doesn't sound like it mattered what the OS was - there wasn't an OS-level compromise (and there didn't need to be, because they did no compartmentalisation of their entire system, so once you'd compromised the web server you had have complete control over all of the data).
I am TheRaven on Soylent News
The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business. Also it could send a wrong chilling effect, where now most companies are trying really hard to secure their systems from many different methods, to just doing what is legally stated, thus creating more problems.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Trump did nothing wrong. When he gets us to the moon for real you'll eat your words.
You can hate Equifax all you want, but you should really be also complaining about all the other companies that are giving it to them.
If nobody freely (or with some $$$) gave them your information when you signed up for stuff, they wouldn't have a business.
Your hair look like poop, Bob! - Wanker.
I understand the purpose of credit reporting agencies, and I don't have a blanket hatred or dislike of them like some people. (Hey, sorry if you're irresponsible with your money all the time and don't pay your bills when due. That doesn't make the "messenger" evil when they perform the function of warning others about your financial behavior.)
But Equifax? They've long been frustrating because of a lack of care in verifying the data they collect, and a general unwillingness to correct mistakes on credit reports. Inability to secure all of this sensitive information they've collected is icing on that cake.
Look at some of the nonsense they partake in, such as giving you "ONE free look at your credit report per year". That's YOUR info they've collected and make money off of, and they don't even want to show YOU what they've got unless you pay like everybody else? As far as I'm concerned, I should be able to create an account with these people where I can log in and see my credit report ANY time, as well as submit online requests for changes whenever I see something wrong or questionable. I know Equifax and one of their competitors had wrong information about the history of addresses I lived at previously, and neglected to fix it, even after multiple requests. (It seems they don't consider that part of the content of a credit report that could potentially hurt your credit score, so it's not a priority to correct.) If it's worth keeping track of though, it's worth keeping track of correctly, IMO. Don't lie to everyone pulling my report, giving a bogus street address I supposedly resided at (which was obviously due to a typo somebody made at some point, since the street is fairly similar to the name of one I actually DID live at previously).
The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business.
Claiming that a problem is complex is not a valid excuse for doing the job incompetently such that it results in harm to others. If you cannot manage sensitive data safely then you either need to exit the business or step your game up. They do not get a free pass just because it's a hard problem. If the security problem is that hard that they need government indemnification then they DEFINITELY need to be regulated. Medicine is easily as if not more complex than IT security and yet doctors are held liable for malpractice and are highly regulated. I see no reason why ITprofessionals should be held to a lesser standard of care if they want to manage sensitive data like credit histories or medical records.
Regulations don't have to specify specific technology or tactics. They just have to specify that they have to keep the data secure, what secure means, and outline punishments for failure to do so. If they cannot handle the risk then don't get into the business.
every time you apply for credit or a bank account you've signed something that gave Equifax the right to collect your data. Read your agreements and if you don't like it don't sign it.
This is the philosophy of "You always have a choice". It's popular with the right wing, libertarians, corporations and the Republican party. You can try pointing out that it's not possible to find a bank or credit card that doesn't do business with Equifax and also impossible to live without either but I've found those arguments fall on deaf ears. If pressed I've had some of the "You always have a choice" crowd come out in favor of slavery. I really don't have an answer to that.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
they're a vastly powerful company. For a lot of people if you want to do business you have to do it with Equifax. Tell them to do otherwise and you you might as well tell somebody living in the 12th century not to bother with their local guild system. We live in the world we live in and not the one we want to.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/