Enlarge / One of many dangerous pages delivered after researcher Jérôme Segura visited transunioncentroamerica.com

Equifax is not the one credit-reporting behemoth with an internet site redirecting visitors to pretend Adobe Flash updates. A safety researcher from AV supplier Malwarebytes stated transunioncentroamerica.com, a TransUnion site serving folks in Central America, is also sending visitors to the fraudulent updates and different kinds of malicious pages.

As Ars reported late Wednesday night, a portion of Equifax’s web site was redirecting visitors to a web page that was delivering fraudulent Adobe Flash updates. When clicked, the information contaminated visitors’ computer systems with adware that was detected by solely three of 65 antivirus suppliers. On Thursday afternoon, Equifax officers stated the mishap was the results of a third-party service Equifax was utilizing to acquire website-performance information and that the “vendor’s code running on an Equifax website was serving malicious content.” Equifax initially shut down the affected portion of its site, however the firm has since restored it after eradicating the malicious content material.

Now, Malwarebytes safety researcher Jérôme Segura says he was in a position to repeatedly reproduce an identical chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some events, the ultimate hyperlink within the chain would push a pretend Flash replace. In different instances, it delivered an exploit equipment that attempted to infect computer systems with unpatched browsers or browser plugins. The assault chain remained lively on the time this submit was going reside. Segura printed this blog post shortly after this text went reside on Ars.

“This is not something users want to have,” Segura advised Ars.

The frequent thread tying the affected Equifax and TransUnion pages is that each hosted fireclick.js, a JavaScript file that seems to invoke the service serving the malicious content material. When known as, fireclick.js pulls content material from a protracted chain of pages, beginning with these hosted by akamai.com, sitestats.com, and ostats.web. Relying on the visitors’ IP handle, browsers in the end wind up visiting pages that ship a pretend survey, a pretend Flash replace, or an exploit equipment.

Segura believes ostats.web is the hyperlink within the chain the place issues flip dangerous, however he has but to affirm that. The complete chain in a single transunioncentroamerica.com redirect seemed like this:

Jérôme Segura

The next GIF picture captures the redirection sequence in motion:

Jérôme Segura

Ostats.web also performed a task within the redirects that occurred on the affected Equifax Net web page. A video taken by impartial safety analyst Randy Abrams confirmed it sending him to a collection of malicious websites that in the end lead to the adware lure.

Makes an attempt to attain individuals who personal the area weren’t instantly profitable. Ars e-mailed a spokesman at TransUnion to notify him of Segura’s discovering. Till TransUnion has time to reply, folks ought to stay cautious of the corporate’s numerous Net properties, significantly the one serving Central America.

Equifax on Thursday was fast to say that its techniques had been by no means compromised within the assaults. Do not be stunned if TransUnion says a lot the identical factor. This is a vital distinction in some respects as a result of it implies that the redirections weren’t the results of attackers having entry to restricted components of both firm’s networks. On the similar time, the incidents present that visitors to each websites stay rather more weak to malicious content material than they need to be. What’s extra, contaminated visitors aren’t seemingly to take a lot consolation in that clarification, both.