Randy Abrams

In Could credit score reporting service Equifax’s website was breached by attackers who eventually made off with social security numbers, names, and a dizzying amount of other details for some 145.5 million US shoppers. For a number of hours on Wednesday the location was compromised once more, this time to ship fraudulent Adobe Flash updates, which when clicked, contaminated guests’ computer systems with adware that was detected by solely three of 65 antivirus suppliers.

Randy Abrams, an impartial safety analyst by day, occurred to go to the location Wednesday night to contest what he mentioned was false data he had simply discovered on his credit score report. Ultimately, his browser opened up a web page on the area hxxp:centerbluray.data that seemed like this:

Randy Abrams

He was understandably incredulous. The location that beforehand gave up private knowledge for just about each US particular person with a credit score historical past was as soon as once more below the management of attackers, this time making an attempt to trick Equifax guests into putting in crapware Symantec calls Adware.Eorezo. Figuring out a factor or two about drive-by campaigns, Abrams figured the possibilities had been slim he’d see the obtain on follow-on visits. To fly below the radar, attackers steadily serve the downloads to solely a choose variety of guests, after which solely as soon as.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash obtain hyperlinks on at the very least three subsequent visits. The image above this put up is the higher-resolution display shot he captured throughout one go to. He additionally supplied the video beneath. It exhibits an Equifax web page redirecting the browser to at the very least 4 domains earlier than lastly opening the Flash obtain on the identical centerbluray.data web page.

Equifax Flash Obtain

The file that obtained delivered when Abrams clicked by way of is known as MediaDownloaderIron.exe. This VirusTotal entry exhibits solely Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Safety exhibits the code is very obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes flagged the centerbluray.info site as one that pushes malware, whereas each Eset and Avira supplied comparable malware warnings for one of many intermediate domains, newcyclevaults.com

Randy Abrams

Within the hour this put up was being reported and written, Abrams was unable to reproduce the redirects main to the malicious obtain. It is doable Equifax has cleaned up its web site. It is also doable the attackers have shut down for the evening and have the flexibility to return at will to go to nonetheless worse misfortunes on guests. Equifax representatives did not reply to an e-mail that included a hyperlink to the video and sought remark for this put up.