
Equifax website hacked again, this time to redirect to fake Flash update - Larrikin
https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/
======
g051051
Equifax was loading this script:
[https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js](https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js)

This script, from Fireclick Web Analytics, then loaded a script via Akami CDN
that was hosted for a Fireclick domain, netflame.cc:
a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/script/www.annualcreditreport.com

So this package was not coming from Equifax, but was being injected by a
compromised analytics provider.

~~~
politician
That's exactly the threat that Monday's post about Circle CI was about!
Literally 3 days to a concrete example!

~~~
bkovacev
Could you please give me a link to that? Are users in danger of a possible
hack?

~~~
lstamour
[https://news.ycombinator.com/item?id=15442636](https://news.ycombinator.com/item?id=15442636)
\- No more a danger than on most sites, it's just something to consider

~~~
wlesieutre
The difference pointed out in the headline being that when NYT, Amazon,
Wikipedia, etc, have compromised scripts they can serve fake flash updates. If
CircleCI has them they can compromise my source code and API keys.

The vulnerability might be the same, but the danger to users is not.

Excerpt for reference:

 _This is a problem because the CircleCI browser context has full access to
the CircleCI API, which is hosted on the same domain, so all eight of those
companies ' scripts can make requests to CircleCI API endpoints. Furthermore
CircleCI customers frequently either include credentials in source code or as
environment variables in CircleCI. Set these, and you are trusting that
CircleCI won't get compromised, or at least, your application is at most as
secure as CircleCI is._

------
noinput
Maybe now they'll add the Hacker Safe badge to their site so this never
happens again.

------
hacker_9
I assume this must be because after the initial hack, every kid with a script
pointed it at Equifax to see what they could get too. I would not want to be
in the IT department at that company right now.

~~~
mrguyorama
If the average script kiddie can meaningfully compromise your infrastructure,
aren't you already screwed? Pretty much every automated attack possible is
launched at every internet addressable server on a daily basis. I ran a web
server for a couple years with nothing on it but nearly empty personal sites
and files, and over 50% of its hits were automated scans and attacks

------
warent
This isn't fair and they need to slow down; I want my small claims lawsuit to
pay off before they put themselves out of business.

~~~
0xfeba
Yeah, good luck showing damages. You basically have to wait until your
identity is used for fraud, and then probably tie it specifically to the
breach.

------
rlvesco7
Noticed this on Monday. After registering for fraud alert, they send an email
that has link to [http://www.equifax.com/fcra](http://www.equifax.com/fcra)
for free credit report. This was getting hijacked. But not if you used
[https://](https://)

~~~
Matt3o12_
Why would they send you to a http at all if they already have https. This just
seems like complete incompetence. It’s not like they have an excuse like their
ad networks don’t work with https.

~~~
BearGoesChirp
I know of companies with typos in their links that they email. These typos
lead to scam sites. I've contacted them and they haven't yet fixed it. There
needs to be a serious re-evaluation of the costs associated with failing such
basic security measures like using https and just making sure you send people
the correct link. Right now it isn't even a slap on the wrist.

~~~
tonyztan
If the site supports HTTPS, they should just preload HSTS to avoid future
problems with HTTP.

------
eltoozero
Part of me says "wow, what blatant incompetence", but the part of me that does
IT consulting is not surprised.

------
gaius
I am not generally a fan of heavy handed regulations but the government needs
to step in and shut Equifax down _right now_. Literally pull the plug on
everything they own.

~~~
theyregreat
Updating James Madison:

 _If everyone were honest, neither greedy nor malicious, did pay attention,
were competent, including securing their apps, and didn’t have either fires,
floods or roads, no regulation or government would be necessary._

~~~
eradicatethots
I think we should still strive to move towards being that way. Greed and
maliciousness breed greed and maliciousness and it’s be good to root them out
wherever we can.

~~~
ngold
In the absence of civil institutions regulated by the people, regulation does
not disappear. The mantle is picked up by corporations. It's our choice.

------
sdshx
It seems to be a random occurrence, I was able to trigger a pull of the
infected page with the full request records:

[https://tools.pingdom.com/#!/dWEfQI/http://www.equifax.com/f...](https://tools.pingdom.com/#!/dWEfQI/http://www.equifax.com/fcra)

Interestingly, I ran into a similar issue with Yahoo earlier this week serving
almost identical advertisements so this may be more widespread.

------
DarronWyke
I used to work for Experian (I know, not Equifax, but it's an equivalent
company).

None of this surprises me. These companies will do _anything_ they can to
protect and maintain revenue streams. This includes avoiding security.

------
poorman
Nothing surprises me these days. [http://www.snopes.com/2017/10/05/equifax-
contract-irs/](http://www.snopes.com/2017/10/05/equifax-contract-irs/)

------
pbadenski
Makes me think. Can I ask my bank to stop sharing my data with Equifax. Would
they honour the request? Anyone working for a bank, what do you think?

~~~
jon-wood
At least in the UK it's a legal requirement for banks to share details with
credit rating agencies, so no, they couldn't if they wanted to.

~~~
rahimnathwani
I don't believe that's true. (If it were, I could set up a credit rating
agency, have all the banks share details with it, and then have free credit
reports for my own (hypothetical) consumer lending business, rather than
paying a pound or two for each pull.)

Care to cite the specific law? I'd be very interested in knowing, if such a
law exists.

~~~
mattmanser
Oh, you think it's a fair playing field?

If you're not old chums with the right person in government, you won't be
classified as a credit rating agency.

~~~
noxToken
I assume that there _has_ to be a legal definition that outlines what will
qualify a business as a credit rating agency. The requirements are probably
cumbersome, but something must be written down somewhere to objectively define
the requirements.

~~~
philipov
What counts as objective is determined subjectively by people with vested
interests.

~~~
noxToken
As soon as I clicked reply, that thought immediately jumped into my head.

------
davidcollantes
Does Randy Abrams has a website? Does anyone knows anything else about the
source?

EDIT: Found it: [http://randy-abrams.blogspot.com](http://randy-
abrams.blogspot.com)

------
yellowapple
So which IT employee is going to be thrown under the bus _this_ time?

------
MrGhrelin
These people need to spend some money and get some good IT staff. The people
at the top are getting all the cream, while the people that actually keep
things going need an upgrade.

------
tonyztan
Equifax (and other sites that should care about security) should use
Subresource Integrity, which prevents resources from being hijacked.

[https://developer.mozilla.org/en-
US/docs/Web/Security/Subres...](https://developer.mozilla.org/en-
US/docs/Web/Security/Subresource_Integrity)

------
erlendr
CSP.

------
LP550
,

------
jonssons
what. again?

------
HHalvi
What's their excuse this time ? A single worker brought in a cat that bit our
entire server facilities power supply ? Or some random guy who handled
credentials was picked up by Aliens.

~~~
pilsetnieks
You know how "admin:admin" aren't very good credentials for a supposedly
secure production system dealing with sensitive information? Well, turns out,
neither is "admin123"

~~~
ecshafer
Issue closed. Credentials updated to admin123! For increased security.

~~~
mercer
Can we keep this noise on Reddit?

------
need2sleep
Since when is it ok to publish this without a single shred of evidence to
support the dude's claims?

Laughable to say the least.

Dude probably got owned locally.

~~~
tyingq
Just tried [http://www.equifax.com/fcra](http://www.equifax.com/fcra)
myself...it redirects to obviously shady sites, right now.

Edit: Currently it's doing it only for specific client user agents. Try an
android one. This javascript is driving part of it:
[https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/se...](https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/script/www.annualcreditreport.com)

Edit: Found the bad bits. They are here:
[https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js](https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js)

See the part that starts with document.write()

Edit: maybe a red herring. Sure looks shady though.

~~~
ballenf
What's the stack used for the real https version? I got redirected there (I
guess malware doesn't like Safari desktop or uBlock origin saved me) and felt
like I fell through a time warp to 2007 (update: 2004, in actuality) with the
form Equifax presents. So much low-res skeuomorphism I almost got nostalgic.

Not necessarily related to the security issues, just curious.

Edited to add: The site has a Copyright of 2004. None of the JS tools are
later than that. Is this really the current site in use? Unchanged for 13
years... wow. Would be sorta cool, you know, if it wasn't completely hacked.

