Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Internet

Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com) 150

For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.
This discussion has been archived. No new comments can be posted.

Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update

Comments Filter:
  • by Anonymous Coward

    It just keeps getting better!

    • Once you pop the fun don't stop! This has been one hell of a fun ride so far... but when are people going to start being held accountable for this? And if any of us have bad credit, can we just say we got Equifaxed and get credit scott-free?
    • Re:Wow (Score:5, Insightful)

      by jellomizer ( 103300 ) on Thursday October 12, 2017 @10:40AM (#55356093)

      The problems is that we have little say on the data that Equafax has on us. It is not like we went to Equafax and gave them the info, they had been collecting it for years without our direct permission.

      In short Equafax just screwed everyone, and to be joyous about this hack, even if it were to put them out of business, is like celebrating the crook going to jail, after he had burned down your home and lost everything. You are still suffering, even if justice was served.

      • Re:Wow (Score:5, Insightful)

        by TheRaven64 ( 641858 ) on Thursday October 12, 2017 @11:28AM (#55356509) Journal
        The one good thing that might happen is consumers wake up to the problems of allowing large-scale data collection and push for tighter regulations on companies that engage in this kind of behaviour.
        • Re:Wow (Score:5, Insightful)

          by jellomizer ( 103300 ) on Thursday October 12, 2017 @11:47AM (#55356673)

          The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business. Also it could send a wrong chilling effect, where now most companies are trying really hard to secure their systems from many different methods, to just doing what is legally stated, thus creating more problems.

          • by Anonymous Coward

            or a company would be afraid to use computers to expand their business.

            You say that like it is always a bad thing. But some things should not be so easily accessed from the internet. Maybe the data that the credit bureaus aggregate should be one of those things.

            So you now have to wait a few days before getting approval for a new line of credit, big fucking whoop.

            • Any rules on IT security will not be confined to just Credit Agencies. This will affect a local Mom and Pop shop that has an online store website setup.

          • by sjbe ( 173966 ) on Thursday October 12, 2017 @12:39PM (#55357085)

            The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business.

            Claiming that a problem is complex is not a valid excuse for doing the job incompetently such that it results in harm to others. If you cannot manage sensitive data safely then you either need to exit the business or step your game up. They do not get a free pass just because it's a hard problem. If the security problem is that hard that they need government indemnification then they DEFINITELY need to be regulated. Medicine is easily as if not more complex than IT security and yet doctors are held liable for malpractice and are highly regulated. I see no reason why ITprofessionals should be held to a lesser standard of care if they want to manage sensitive data like credit histories or medical records.

            Regulations don't have to specify specific technology or tactics. They just have to specify that they have to keep the data secure, what secure means, and outline punishments for failure to do so. If they cannot handle the risk then don't get into the business.

            • Re: (Score:2, Interesting)

              by Anonymous Coward

              Medicine is easily as if not more complex than IT security

              You have no idea what the nature of infosec is. The way the human body operates doesn't change weekly. There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die. In IT, it's weekly patches or you are fucked. It's relearn how it works over and over and over your whole career. Penicilin still works at least some of the time. Nothing from infosec lasts a tenth as long. There is no sitting still with technology.

              And that does not even begin to tackle the largest, most ad

              • by zlives ( 2009072 )

                perhaps being an info slut and allowing access to your holes to any one who wants it is not a behavior that lends itself to disease avoidance. i for one will be just fine with equifax dying because of their malfeasance.

              • There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die.

                Not sure what planet you live on but there literally are new diseases every day (ever hear of mutations?) and people do literally die from them. Every day, all around the world. Diseases like influenza and malaria are constantly mutating and overcoming even our best attempts to shield against them. And unlike you I'm not talking about a figurative death either. Literally millions of people die - literally die - every year because of new versions of diseases that our immune systems and medical technology

          • There's an easy way to avoid leaking a load of personal information when you're hacked: Don't keep a load of personal information on your servers. If regulation moved the default from 'let's keep everything, it may be useful for something eventually' to 'don't keep anything unless you can demonstrate a really strong business case that requires keeping it and outweighs the cost of insurance for the potential liability if it's leaked' then that would be a huge improvement.
        • Consumers can push all they want - the companies will shove back with effectively infinite force.
        • The one thing that is impossible in the field of IT security is the consumers waking up. Everything else is possible.

      • You can hate Equifax all you want, but you should really be also complaining about all the other companies that are giving it to them.

        If nobody freely (or with some $$$) gave them your information when you signed up for stuff, they wouldn't have a business.

      • I understand the purpose of credit reporting agencies, and I don't have a blanket hatred or dislike of them like some people. (Hey, sorry if you're irresponsible with your money all the time and don't pay your bills when due. That doesn't make the "messenger" evil when they perform the function of warning others about your financial behavior.)

        But Equifax? They've long been frustrating because of a lack of care in verifying the data they collect, and a general unwillingness to correct mistakes on credit repo

      • every time you apply for credit or a bank account you've signed something that gave Equifax the right to collect your data. Read your agreements and if you don't like it don't sign it.

        This is the philosophy of "You always have a choice". It's popular with the right wing, libertarians, corporations and the Republican party. You can try pointing out that it's not possible to find a bank or credit card that doesn't do business with Equifax and also impossible to live without either but I've found those arg
        • Hence why I said directly.
          The paperwork doesn't say Can I give this information to Equafax? Where I can check yes or no on it.

  • id10t? (Score:5, Insightful)

    by Anne Thwacks ( 531696 ) on Thursday October 12, 2017 @10:32AM (#55355991)
    A company shows a track record of failing to grasp the concept of security. Person visits said company's site, and finds malware infestation has a strong hold? Then does it again?

    Surely the definition of stupidity is when you keep on doing the same thing and expect different results?

    to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.

    THIS MEANS YOU!

    • they're a vastly powerful company. For a lot of people if you want to do business you have to do it with Equifax. Tell them to do otherwise and you you might as well tell somebody living in the 12th century not to bother with their local guild system. We live in the world we live in and not the one we want to.
    • ew! this milk has gone bad! let me try again.. yeah, no, still bad! maybe one more time... oh, that one was chunky, gross!

    • Surely the definition of stupidity is when you keep on doing the same thing and expect different results?

      No, that's the definition of trying again. Stop repeating this fallacy. If you play basketball, and you miss a basket once, you get the ball back and shoot it, are you stupid because you are hoping for better results this time? Of course not!

  • by Ayano ( 4882157 ) on Thursday October 12, 2017 @10:32AM (#55355997)
    Is this the story that never ends?
    • We'll be hearing from Equifax for much of the next year. Unless it gets overshadowed by something bigger and more embarrassing
  • by ebrandsberg ( 75344 ) on Thursday October 12, 2017 @10:33AM (#55356003)

    This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing

    • by Dutch Gun ( 899105 ) on Thursday October 12, 2017 @10:40AM (#55356089)

      Equifax was responsible for setting up a separate website to deal with this hack. Doing so increased the likelihood of stuff like this happening (which it has, apparently *twice* now). So, even if this "wasn't Equifax", I'm still going to blame them for failing web security fundamentals.

      • For anyone who missed this, not only did they set up a brand new domain that wasn't related to their main site, they also tweeted the wrong domain name multiple times.
    • Yes, since the report is only from one person who is unable to replicate it (according to TFA) my thought is it was just as likely to be an issue with his browser or host.
    • by Walking The Walk ( 1003312 ) on Thursday October 12, 2017 @11:39AM (#55356599)

      This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/... [wikipedia.org]

      That's a possibility, but the story is subtitled "Malware researcher encounters bogus download links during multiple visits.", and one would hope a malware researcher would have considered it. The article says it could be due to an ad the site was displaying:

      It's not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that's responsible for the redirects. In that case, the breach, technically speaking, isn't on the Equifax website.

      • by Anonymous Coward
        RED FLAGS:
        - Equifax.com running non-Equifax ads?
        - Internet Explorer
        These two alone make me question the article... Posting anon since I've already modded this thread
        -Syn3rg
    • by Ichijo ( 607641 )

      Wouldn't encryption prevent the web browser from making a secure connection to a spoofed Equifax server?

      • by Anonymous Coward

        Wouldn't encryption prevent the web browser from making a secure connection to a spoofed Equifax server?

        No. The data between server and client is encrypted, but then the client has to use a DNS request, fetching data outside the encrypted channel, to determine where to go next. Even if the DNS request was encrypted, the result would still be the same if the DNS cache is poisoned.

    • Never run into this before so new to me, but centerbluray.info is being back linked to majestic.com https://www.robtex.com/dns-loo... [robtex.com]

      https://majestic.com/reports/s... [majestic.com] one time use (cookie)

  • by phalse phace ( 454635 ) on Thursday October 12, 2017 @10:33AM (#55356011)

    Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.

    • Don't worry, we'll find another piece of garbage to infest our computers, tie up CPU cycles unnecessarily and generally annoy internet users and make webpages unsufferably bloated long before Flash's demise.

    • Damn... There goes a piece of my bread and butter. Every month I have to update Adobe Flash to the latest version. Oh, well. Since my employer is planning to switch from Win7 to Win10 in the near future, I still have job security with Microsoft.
    • by Tablizer ( 95088 )

      Can't wait until Adobe kills Flash in 2020...

      People have been predicting Flash will "end soon" for about two decades. It doesn't. It's the reverse of the Duke Nukem Forever pattern. "Unvaporware"? Or how people now ask the Moonies at the airport to define "soon".

    • by antdude ( 79039 )

      But there are always other craps. What about HTML5? :P

    • by Hentes ( 2461350 )

      That won't happen before advertisers pressure W3C to include every BS from Flash into web standards.

  • by Opportunist ( 166417 ) on Thursday October 12, 2017 @10:35AM (#55356021)

    Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?

    And why is that CEO still at large?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The CEO isn't at large. He was dismissed . . . with tens of millions of dollars. Remember, in the USA, corporations are people. They have all the rights, and none of the responsibilities.

      • So... was the CEO's info also included in the breach?
        You know what would be an ironic rebalancing of the cosmos?...
      • He's not behind bars.

        Then again, maybe it's for the better. It's so hard to get a hand on those bastards when the state protects them.

        • by Anonymous Coward

          Equifax has been controversial since it was started in 1899 to serve retailers who wanted to extend credit to customers. Their existence and business practices spawned a few laws.

          It's an inherently unethical business.

          But here is some bad karma coming there way: Years ago, I was at a talk that had an Equifax exec on its panel. They have to put up with the same shit as we do (there is also Experian and Transunion that also fucks everything up). But she is able to clean stuff up internally fast for herself

          • I just hope for a sympathetic terrorist to park the next plane in the correct building this time.

            I mean, think of all the sympathy and support they could get! These terrorists are really bad at PR, I tell ya.

    • It's the Hamiltonian dream of a government of, by, and for the public corporations. Jefferson's Republic is dead, man. The mercantilism he and his compatriots fought against now rules the day. Free market capitalism has been replaced with "systemically important financial institutions" that will get bailouts courtesy of taxes excised from the middle class - the same people who got screwed over by Equifax.

  • by sinij ( 911942 ) on Thursday October 12, 2017 @10:46AM (#55356167)
    If corporations are people, it is time to jail Equifax.
    • I don't remember who said but they said, "I'll believe corporations are people when we can cut their head off."

  • What i would suggest is that the entire IT staff and C_O group repeat after me

    "Would you like me to tell you the Daily Specials?"

    "Would you like fries with that or Maybe upgrade to Our new LOADED FRIES"

  • Incompetence... (Score:5, Interesting)

    by rnturn ( 11092 ) on Thursday October 12, 2017 @10:49AM (#55356219)

    At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.

    How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?

    • How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors?

      Businesses don't care - it is the consumers being hurt, not the businesses using Equifax's services. It would be like a local store that keeps getting broken into and robbed in the middle of the night. Would a person stop buying from them just because they're losing stuff? It doesn't effect them (assuming the data doesn't get modified). As long as they have what the person wants at a reasonable price when they want it, why should they care that the business has a loss problem?

      The most likely reason why it c

      • by HiThere ( 15173 )

        The thing is, it wouldn't affect Equifax much if the data *WAS* modified. They don't care much whether it's accurate or not.

    • A "corporate" death penalty just means the company is dissolved, and the shareholders lose money (capital). But the individuals responsible for causing the problems in the first place just dust off their resumes and go to work for other companies. It may may you feel better, but it doesn't accomplish anything. And in fact it may makes things worse because (assuming this corporation was egregiously worse than its competitors) the bad guys who caused the problem are now scattered throughout hundreds of dif
    • corporate death penalty
      I am sick of this term. It pretends that it is as controversial as killing people.

  • by Lucas123 ( 935744 ) on Thursday October 12, 2017 @10:51AM (#55356237) Homepage

    You people act as though Equifax is made of money that they can lavishly spend it on securing the highly sensitive financial data of consumers who never gave the company authority to collect and share it in the first place. Equifax only made $3.1 billion last year; they have a lot of wealthy shareholders and executives whose lifestyles depend on a high revenue to profit ratio.

    Sure, Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company, but that could happen to anyone. /s

    • by HiThere ( 15173 )

      If they they can't afford to protect the data then they have no business collecting it. They don't deserve to exist as a business.

      If they can't afford to ensure the accuracy of the data, then they should be responsible for all damages caused by it being inaccurate. And considering how difficult it is to ensure that the data about anyone is accurate, or even to know that you're being damaged, the damages should be multiplied by a few thousand. After all, they're the ones making it difficult to ensure that

    • by Cederic ( 9623 )

      Equifax only made $3.1 billion last year

      That's revenue, they made much much less in profit.

      I'm not sure it matters how much they spend on security anyway, they're failing on the basics now.

  • I'm shocked (Score:5, Interesting)

    by DontBeAMoran ( 4843879 ) on Thursday October 12, 2017 @10:57AM (#55356283)

    I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?

    • by Anonymous Coward

      I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?

      Don’t be naïve. People write viruses to infect operating systems that are on the most machines. The main reason why Linux is so secure is because viruses would be less successful in targeting them. Also, since they hold the majority of less-savvy users, it makes more sense. Of course Linux is secure. Hardly anyone writes viruses for it.

      • by HiThere ( 15173 )

        No, the main reason that Linux is more secure is that MS stripped out all the security from the OS that they emulated in order to make it run faster on a smaller, cheaper, machine.

        MSWindows as designed for a single user machine operated without any network connections. Linux was designed from the start as a multi-user OS with network connections. So security has had to be retrofitted into MSWindows.

        I understand that they've done a pretty good job, but because of their EULA I'll never really know.

    • Microsoft's market share is vast, diverse, and spread out geographically.

      No single Antivirus meets the needs of every user or business. You've got home users who need simplicity, you've got business users who need manageability, you've got gamers who need performance, and developers who need control. You've got different countries with different language needs. You've got your for cost, and your freeware. Finally you've got up starts and Open Source options. Etc. Etc.

      What is more surprising is when th
    • I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?

      Yes.

  • by Rick Schumann ( 4662797 ) on Thursday October 12, 2017 @11:12AM (#55356403) Journal
    My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!

    So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?

    Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.
    • What do we do now? Apparently, we give them no-bid contracts! http://time.com/4968558/equifax-breach-irs-contract/
      • Yes, I saw that, and all I can say about that is: Are you really surprised that the current administration would do something like that? I'm not.
    • My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!

      I am an engineer and I also happen to be a certified accountant. I can assure you that engineers do not as a general proposition make better (or worse) business decisions than any other category of worker. The problem at equifax was NOT an engineering failure, nor did it happen because engineers weren't making engineering decisions. It was a failure of company culture and a lack of risk controls. The engineering flaws that were exposed were simply predictable knock-on effects of the poor business contro

      • You know what? So long as the end result is the same in this case (Equifax execs in orange jumpsuits for years to come) the details don't matter to me much. Find who is responsible for this unmitigated disaster and crucify them.
      • by HiThere ( 15173 )

        Engineers tend to make different kinds of mistake than do accountants. With engineers running the company this particular kind of mistake probably wouldn't have happened. Actually, with accountants running the company it wouldn't have either. Accountants would have paid attention when the Wall street investors were told that it was a bad investment because the staff wasn't properly trained and they had no backup plan to deal with a break in. Apparently the people running the company were confidence men,

  • ... into installing crapware Symantec calls Adware.Eorezo

    This sentence doesn't parse. Why "calls ..." after the crapware's name?

  • Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info

    a) That's (almost) a URL, not a domain
    b) What's with the "hxxp"?
    c) The : is in the wrong place

  • One might argue that a "malware researcher" might already be at increased risk of having already contracted some sort of exploit that might manifest as a malicious redirect.

    Then again, where Equifax and their recent security fumbles are concerned, it's certainly within the realm of possibility that such an exploit found its way into their services. Unless there's an independent and unbiased analysis of the Equifax systems and protocols, it's unlikely we'll ever be certain.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...