Not Just Equifax. Rival Site Transunion Served Malware Too -- and 1,000 More Sites

An anonymous reader quotes Ars Technica: Equifax isn't the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, [was] also sending visitors to the fraudulent updates and other types of malicious pages... Malwarebytes security researcher Jerome Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins... "This is not something users want to have," Segura told Ars...

Equifax on Thursday was quick to say that its systems were never compromised in the attacks. TransUnion said much the same thing. This is an important distinction in some respects because it means that the redirections weren't the result of attackers having access to restricted parts of either company's networks. At the same time, the incidents show that visitors to both sites remain much more vulnerable to malicious content than they should be.
Both sites hosted fireclick.js, an old script from a small web analytics company which pulls pages from sites like Akamai, SiteStats.info, and Ostats.net. "It appears that attackers have compromised the third-party library," writes BankInfoSecurity, adding that Malwarebytes estimates over a 1,000 more sites are using the same library.

Have incompetent security, get hacked

[gweihir]

Noting surprising here. And unless these people get limited in their greed and stupidity by really unpleasant and, most important, personal consequences for the CEO when that happens, nothing will change. No, I am not talking about firing them. I am talking about them paying for the damage and, depending how extreme their failure, prison time.

Re:It's not Equifix or TransUnion

[Scutter]

If it's your website, you are responsible for the ad content you serve on it. This ridiculous "pass the buck" ecosystem that we've allowed to be created is the problem. End users who get infected by a bad site are told "Oh, gee, well I guess you should just use an antivirus. Also, pretty please turn off your ad blocker so we can make a little money to keep the site running for you?". The end user has no way of knowing who the ad network is, nor do they have any way to hold that network responsible.

No, this is ABSOLUTELY Equifax and Transunion's fault. THEY are serving bad ads on their site. THEY are the ones who contracted with companies with terrible security. THEY are the ones inserting that bad security into their web site. THEY are responsible for any breaches as a result of that negligence. It's time to stop allowing these sites to keep getting away with this behavior over and over.

Re:It's not Equifix or TransUnion - YES IT IS

[Fly+Swatter]

Companies whose job is to secure the data of an entire nation should have an extreme case of NIH Syndrome. Sadly now its all copy-paste third party junk that no one can really trust.

When will these IDIOTS learn

[chromaexcursion]

If you need to have a secure site you can't use cross links.
Anything financial needs to have a secure site.
These "business" decisions are penny wise, pound foolish.
How many more CEOs have to resign in disgrace for the idiots to catch on?