This script, from Fireclick Web Analytics, then loaded a script via Akami CDN that was hosted for a Fireclick domain, netflame.cc: a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/script/www.annualcreditreport.com
So this package was not coming from Equifax, but was being injected by a compromised analytics provider.
The vulnerability might be the same, but the danger to users is not.
Excerpt for reference:
This is a problem because the CircleCI browser context has full access to the CircleCI API, which is hosted on the same domain, so all eight of those companies' scripts can make requests to CircleCI API endpoints. Furthermore CircleCI customers frequently either include credentials in source code or as environment variables in CircleCI. Set these, and you are trusting that CircleCI won't get compromised, or at least, your application is at most as secure as CircleCI is.
I think that is a reasonable decision.
What would be the most effective way to protect against this vulnerability?
1. Ask the authors of the major browser you use to please change their software to your benefit instead of the advertisers who pay millions every quarter and finance the authors' salary.
Right now, all major browsers load scripts automatically. No user input required.
What gets loaded is determined by the website, not the user.
3. Use a browser that does not load scripts automatically.
Or use one program to retrieve the stuff you want from the web, e.g., an http client, and another program or programs to read/view/play it, offline. Only the http client needs an internet conection.
4. Stop using the web. (Not meant to be flippant.) The web is but one part of the internet. Alas, it has been largely "taken over" by the lure of the sale of personal information about consumers and advertising.
Look for existing or new internet protocols that do not use the web but which can provide the same things that the web does.
The software to access these protocols does not have to be written by organizations with interests in data collection and advertising.
It may be possible to have a segment of the network that is noncommercial. Free from ad delivery.
It used to be a Fireclick owned domain, but the current ownership might not be Fireclick.
Try: whois -h whois.dynadot.com netflame.cc | grep Registrant
The results don't really look like what they would be if Fireclick owned it. It's registered to a Thailand national using a personal gmail account.
Can't prove it, but I have a suspicion Fireclick let the domain lapse/expire, and some bad actor registered it, then figured out what content to post where, or got hacked themselves.
Registrant Name: Digital River, Inc.
Registrant Organization: Digital River, Inc.
Registrant Street: 10380 Bren Road West
Registrant City: Minnetonka
Registrant State/Province: MN
Registrant Postal Code: 55343
Registrant Country: US
Registrant Phone: +1.9522531234
Registrant Email: firstname.lastname@example.org
They were probably the legitimate owners. The domain registration expiration date at that time was set for 2017, so it doesn't look like a registration lapse. It's unclear how and why the ownership was transferred.
> It's unclear how and why the ownership was transferred
Yes, it's curious.
Just having your personal information stored insecurely should be grounds enough for damages but in the world of "identity theft" I didn't think it would have a case in small claims.
But don't worry, they'll have an engineer approve it next time as well!
So, how did they copy an http url instead of https because they website should have redirected them to https before processing the request (and I just hope that their internal network isn’t compromised).
That page pulls it in.
Edit: maybe a red herring. Sure looks shady though.
See: $ whois -h whois.dynadot.com netflame.cc | grep Registrant
Edit: Of course the error message is truthful:
>The Equifax.com website and Equifax Member Center are experiencing unusually high volumes due to responses to the recently announced Cybersecurity Incident. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.
If everyone were honest, neither greedy nor malicious, did pay attention, were competent, including securing their apps, and didn’t have either fires, floods or roads, no regulation or government would be necessary.
What's the law that gives people in some jurisdictions exclusive rights over collected data? Is it copyright again? I ask because I would like to learn more about this law, and it's difficult to do so if I don't even know what it's called. The term "intellectual property" adds confusion towards understanding the particulars.
Btw, as an interesting bit of trivia, the lack of copyrightability of data is why we have fun things like paper towns and other copyright traps:
The US constitution limits the restrictions on free speech caused by copyrights and patents and does not allow generic database rights systems that you find in the EU.
Interestingly, I ran into a similar issue with Yahoo earlier this week serving almost identical advertisements so this may be more widespread.
None of this surprises me. These companies will do anything they can to protect and maintain revenue streams. This includes avoiding security.
Credit reference agencies (Experian, Equifax, Callcredit) collect information about individuals and provide that information (credit history) to lenders for a fee.
There's no statutory obligation for banks to provide information to CRAs. But agreements between CRAs and their clients (banks and lenders) generally requires that, if bank A uses CRA B to get info on prospective customers, then bank A must also report details of all its customers to CRA B.
There's some truth to what you said, though. It's often a problem for SMEs (small/medium businesses) to get loans. And, since only the bank they use for day-to-day banking has a good idea of their creditworthiness, they can't easily shop around to other banks. So there's legislation which forces the largest banks to make that information available to 3 CRAs, which must provide them to any lender which asks. BUT this only applies to SMEs (not consumers) and any SME can opt not to have their information shared in this way.
"As there is no DPA requirement for lenders to report such data to the credit reference agencies, it is up to the lender to decide which credit reference agency they wish to use, if any."
Certainly when you apply to use financial services in the UK the terms often include consent to share your data with credit reference agencies, but this is the first time I've ever seen a suggestion that banks were required by law to do so.
If that's the case then, given the demonstrable incompetence of Equifax, that law should be changed immediately!
Care to cite the specific law? I'd be very interested in knowing, if such a law exists.
If you're not old chums with the right person in government, you won't be classified as a credit rating agency.
I repeated the error. In my comment, I meant 'credit reference agency', not 'credit rating agency'.
EDIT: Found it: http://randy-abrams.blogspot.com
Laughable to say the least.
Dude probably got owned locally.
Edit: Found the bad bits. They are here: https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js
See the part that starts with document.write()
Not necessarily related to the security issues, just curious.
Edited to add: The site has a Copyright of 2004. None of the JS tools are later than that. Is this really the current site in use? Unchanged for 13 years... wow. Would be sorta cool, you know, if it wasn't completely hacked.
I'm not sure if that'd increase or decrease their sleaze factor.