Equifax isn’t the only credit reporting behemoth with a website directing visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said that transunioncentroamerica.com, a TransUnion site serving people in Central America, is also sending visitors to fraudulent updates and other such malicious pages.
As Ars reported Wednesday night, a section of Equifax’s website was directing visitors to a page that delivered fraudulent Adobe Flash updates. When clicked, the files infect visitors’ computers with adware that is only detected by three of the 65 antivirus providers. On Wednesday afternoon, Equifax officials said that the bug was the result of a third-party service that Equifax uses to collect website service data and that “vendor code running on Equifax’s website is running malicious content.” Equifax initially shut down the affected portion of its site, but the company has reinstated it after removing malicious content.
Now, Malwarebytes security researcher Jérôme Segura says he was able to reproduce a similar chain of fraudulent redirects over and over again when pointing his browser to the site transunioncentroamerica.com. In some cases, the last link in the chain will push a fake Flash update. In other cases, it delivers malicious software that tries to infect computers with unpatched browsers or browser add-ons. The attack chain is active at the time this post goes live. Segura published this blog post Shortly after this article went live on Ars.
“This is not something users want to have,” Segura told Ars.
Three hours after this post went live, a TransUnion spokesperson sent an email saying: “TransUnion is aware that our Central American website is temporarily directing users to download malicious software. The issue has been fixed and we are checking our other websites. TransUnion has not identified any unauthorized access to its systems as a result of this issue. “
A common thread running through the affected Equifax and TransUnion pages is that both hosted fireclick.js, a JavaScript file that appears to invoke a service that runs malicious content. When called, fireclick.js pulls content from a long list of pages, starting with those hosted by akamai.com, sitestats.com, and ostats.net. Depending on the visitors’ IP address, browsers eventually wind up visiting pages that contain a fake survey, a fake Flash update, or malicious software.
Segura believes ostats.net is a link in the chain where things changed, but he has yet to confirm that. The full chain in one transunioncentroamerica.com redirect looks like this:
Jérôme Segura
Ostats.net also plays a role in the redirects that occur on the affected Equifax website. A video taken by independent security analyst Randy Abrams shows that it is being sent to various malicious sites that eventually lead to the adware.
Efforts to reach the people who owned the site were not immediately successful. Ars emailed a spokesperson at TransUnion to report Segura’s discovery. Until TransUnion has time to respond, people should be wary of the company’s many web properties, especially one operating in Central America.
Equifax on Thursday was quick to say that its systems were not harmed in the attacks. TransUnion said much the same thing. This is a significant difference in some ways because it means that the leads are not the result of attacks in accessing restricted parts of either company networks. At the same time, events show that visitors to both sites are more vulnerable to malicious content than they should be. What’s more, infected visitors are unlikely to take much comfort in that information, either.
Updated to add comment from TransUnion.