Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.
Independent security analyst Randy Abrams noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to a website set up to serve adware disguised as a Flash Player installer.
While initially it appeared that Equifax’s website had been hacked, the company’s investigation revealed that the malicious redirects occurred due to a third-party vendor’s script.
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” Equifax stated.
The redirection chain, often seen in malvertising attacks, results in users being taken to a scammy or malicious website, depending on their geographical location and the type of device they use to access the affected webpage.
Researchers at Malwarebytes have analyzed the incident and determined that the redirection occurs due to a web analytics script associated with Fireclick, a now-defunct platform formerly operated by Digital River. A search for the script involved in the attack (fireclick.js) revealed that it had also been used on the Central America website of TransUnion, whose customers were also redirected to shady sites.
Both Equifax and TransUnion have removed the problematic script from their websites. Equifax took the affected service offline and had not restored it at the time of writing.
“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson explained.
In addition to adware, Malwarebytes said the redirection chain also took users to fake surveys and even the RIG exploit kit, which is typically leveraged to deliver ransomware and other malware. The security firm found the same Fireclick script on several other websites as well.
“Anyone using the Fireclick library may have been affected, and the attackers may not even know that they compromised Equifax. A more targeted attack could have used the netflame.cc code to access victim’s data from the Equifax page, submit false data on behalf of the victim, or deface the Equifax page. The attack could have been made invisible to the victim and could have been much more difficult to detect,” Williams added.
Some Hacker News users noticed that the netflame.cc domain was owned by Digital River until November 2016, when the registration information changed to show that the new owner was an individual from Thailand.
“In July 2016, Digital River fully decommissioned the Fireclick platform, which rendered the application inoperable. As part of our decommissioning Fireclick, we no longer had a business use for the netflame.cc domain and released it back to the domain name marketplace in October 2016, which is a common practice in the industry,” Digital River told SecurityWeek. “At that point, the domain name was available for anyone to purchase. As such, Digital River’s connection to Fireclick and this domain name ended before this Equifax event.”
*Updated with clarifications and statement from Digital River