Hacker News new | past | comments | ask | show | jobs | submit login
Equifax website hacked again, this time to redirect to fake Flash update (arstechnica.com)
390 points by Larrikin on Oct 12, 2017 | hide | past | favorite | 96 comments



Equifax was loading this script: https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

This script, from Fireclick Web Analytics, then loaded a script via Akami CDN that was hosted for a Fireclick domain, netflame.cc: a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/script/www.annualcreditreport.com

So this package was not coming from Equifax, but was being injected by a compromised analytics provider.


That's exactly the threat that Monday's post about Circle CI was about! Literally 3 days to a concrete example!


Could you please give me a link to that? Are users in danger of a possible hack?


https://news.ycombinator.com/item?id=15442636 - No more a danger than on most sites, it's just something to consider


The difference pointed out in the headline being that when NYT, Amazon, Wikipedia, etc, have compromised scripts they can serve fake flash updates. If CircleCI has them they can compromise my source code and API keys.

The vulnerability might be the same, but the danger to users is not.

Excerpt for reference:

This is a problem because the CircleCI browser context has full access to the CircleCI API, which is hosted on the same domain, so all eight of those companies' scripts can make requests to CircleCI API endpoints. Furthermore CircleCI customers frequently either include credentials in source code or as environment variables in CircleCI. Set these, and you are trusting that CircleCI won't get compromised, or at least, your application is at most as secure as CircleCI is.


Potentially, yes! Here's the post about CircleCI: https://news.ycombinator.com/item?id=15442636


We were just talking about the potential dangers of these third-party analytics scripts the other day.

https://news.ycombinator.com/item?id=15442636


This is only reinforcing my conviction that blocking scripts and advertising isn't a consumer decision but a security one. I'm not unwilling to be advertised to (or analyzed), but I'm completely unwilling to expand my vulnerability from "the site I opened" to "every external service they can think to load".


"... I'm completely unwilling to expand my vulnerability from the 'site I opened' to 'every external service they can think to load'."

I think that is a reasonable decision.

What would be the most effective way to protect against this vulnerability?

1. Ask the authors of the major browser you use to please change their software to your benefit instead of the advertisers who pay millions every quarter and finance the authors' salary.

Right now, all major browsers load scripts automatically. No user input required.

What gets loaded is determined by the website, not the user.

2. Turn off Javascript.

3. Use a browser that does not load scripts automatically.

Or use one program to retrieve the stuff you want from the web, e.g., an http client, and another program or programs to read/view/play it, offline. Only the http client needs an internet conection.

4. Stop using the web. (Not meant to be flippant.) The web is but one part of the internet. Alas, it has been largely "taken over" by the lure of the sale of personal information about consumers and advertising.

Look for existing or new internet protocols that do not use the web but which can provide the same things that the web does.

The software to access these protocols does not have to be written by organizations with interests in data collection and advertising.

It may be possible to have a segment of the network that is noncommercial. Free from ad delivery.


What meaningful capability would the general public have of evaluating which JS requests to permit?


And the problem is the general population doesn't understand this.


That's Internet 2.0 in it's purest form, no?


After poking around a bit, the "netflame.cc" domain may be where this was compromised.

It used to be a Fireclick owned domain, but the current ownership might not be Fireclick.

Try: whois -h whois.dynadot.com netflame.cc | grep Registrant

The results don't really look like what they would be if Fireclick owned it. It's registered to a Thailand national using a personal gmail account.

Can't prove it, but I have a suspicion Fireclick let the domain lapse/expire, and some bad actor registered it, then figured out what content to post where, or got hacked themselves.


WHOIS history on that domain shows the registration changed hands on November 15, 2016. Before that, it was owned by "Digital River, Inc.":

    Registrant Name: Digital River, Inc.
    Registrant Organization: Digital River, Inc.
    Registrant Street: 10380 Bren Road West
    Registrant City: Minnetonka
    Registrant State/Province: MN
    Registrant Postal Code: 55343
    Registrant Country: US
    Registrant Phone: +1.9522531234
    Registrant Email: hostmaster@digitalriver.com
Digital River appears to be an online commerce company: https://www.digitalriver.com/cloud-based-ecommerce-solutions...

They were probably the legitimate owners. The domain registration expiration date at that time was set for 2017, so it doesn't look like a registration lapse. It's unclear how and why the ownership was transferred.


Digital river was the parent company of fireclick.

> It's unclear how and why the ownership was transferred

Yes, it's curious.


Just got this same thing on some other site.


Maybe now they'll add the Hacker Safe badge to their site so this never happens again.


I assume this must be because after the initial hack, every kid with a script pointed it at Equifax to see what they could get too. I would not want to be in the IT department at that company right now.


If the average script kiddie can meaningfully compromise your infrastructure, aren't you already screwed? Pretty much every automated attack possible is launched at every internet addressable server on a daily basis. I ran a web server for a couple years with nothing on it but nearly empty personal sites and files, and over 50% of its hits were automated scans and attacks


This isn't fair and they need to slow down; I want my small claims lawsuit to pay off before they put themselves out of business.


Yeah, good luck showing damages. You basically have to wait until your identity is used for fraud, and then probably tie it specifically to the breach.


Say more please! What are the damages you claimed?

Just having your personal information stored insecurely should be grounds enough for damages but in the world of "identity theft" I didn't think it would have a case in small claims.


Noticed this on Monday. After registering for fraud alert, they send an email that has link to http://www.equifax.com/fcra for free credit report. This was getting hijacked. But not if you used https://


Why would they send you to a http at all if they already have https. This just seems like complete incompetence. It’s not like they have an excuse like their ad networks don’t work with https.


I know of companies with typos in their links that they email. These typos lead to scam sites. I've contacted them and they haven't yet fixed it. There needs to be a serious re-evaluation of the costs associated with failing such basic security measures like using https and just making sure you send people the correct link. Right now it isn't even a slap on the wrist.


If the site supports HTTPS, they should just preload HSTS to avoid future problems with HTTP.


Sure, but you can configure a webserver to always redirect to the https version of a site.


Someone in marketing probably didn't know that it mattered. Same with the head person who approved the email.

But don't worry, they'll have an engineer approve it next time as well!


But there are protections against this, such as HSTS. I would expect someone with as much sensitive information as Equifax to have HSTS + HPKP pinned into the major browsers. Their server should never even receive an HTTP request. It's just unrivaled incompetence.


HSTS doesn't help if it's your first visit to the site. To work around that they'd need to get into a preload list.


Which is easy if you set preload header.


This. The technology (HSTS, HPKP, Subresource Integrity, upgrade-insecure-requests) is there; sites that need it just don't seem to use it.


Normally, people in marketing don’t write URLs by hand. They copy them and check that they look nice or have a generator make them for them.

So, how did they copy an http url instead of https because they website should have redirected them to https before processing the request (and I just hope that their internal network isn’t compromised).


Probably because security is handled by the IT department, and email communication is handled by the much less tech-savvy Communications department.


The specific js that was hijacked is here: https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

That page pulls it in.

Edit: maybe a red herring. Sure looks shady though.


<!-- Fireclick Web Analytics - COPYRIGHT 1999-2005 ...


So was it Equifax that was hacked, or Fireclick?


Equifax. That url is Equifax controlled. It just mentions fireclick in a comment. Click the url for the js and you'll see that it does a document.write to inject a script that's an akamai cached copy from an obscure .cc domain hosted file...this one: https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/se...



This obscure .cc domain pretty obviously belongs (or used to belong, they let it lapse in 2016 and it was re-registered) to Fireclick.


Update: The whois listing for the cc domain looks pretty odd. It's a person in Thailand, using a personal gmail address. Which would be odd contact details for a California company's domain. Possible of course, but unlikely.

See: $ whois -h whois.dynadot.com netflame.cc | grep Registrant


Hmm. Perhaps not what I thought. Looks hacked and shady, but perhaps this isn't it.


Yeah, looks like a compromised ad/stats provider. That would also explain the intermittent nature of the bad download. I'd hope that the article gets updated with the facts...other companies might be vulnerable to this as well.


Looks like they just took the page down as I was poking around trying to figure out where the redirect(s) came from.

Edit: Of course the error message is truthful:

>The Equifax.com website and Equifax Member Center are experiencing unusually high volumes due to responses to the recently announced Cybersecurity Incident. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.

/s


If you don't want to pull out your phone, throw Chrome into Responsive Design mode and you'll get the same results.


Part of me says "wow, what blatant incompetence", but the part of me that does IT consulting is not surprised.


I am not generally a fan of heavy handed regulations but the government needs to step in and shut Equifax down right now. Literally pull the plug on everything they own.


Updating James Madison:

If everyone were honest, neither greedy nor malicious, did pay attention, were competent, including securing their apps, and didn’t have either fires, floods or roads, no regulation or government would be necessary.


I think we should still strive to move towards being that way. Greed and maliciousness breed greed and maliciousness and it’s be good to root them out wherever we can.


In the absence of civil institutions regulated by the people, regulation does not disappear. The mantle is picked up by corporations. It's our choice.


I'm not sure what's worse: the fact that Equifax just got $7.25M for identity services from the IRS or the realization that the IRS just spent $7.25M on data they can get for free...


That $7.25M went to get the data of the different colour than the data they could find for free. Even when stuff is bit-for-bit identical, sadly, color matters. IRS needs to have the data painted "official", not "from a hack".

http://ansuz.sooke.bc.ca/entry/23


That's like saying "I just spent $100 on this piece of software I could have torrented"


Except data (mere facts) isn't copyrightable.


Yes they are, you can assert rights on a collection of facts that you have collected. A database containing the location of every tree in the UK would be a piece of protectable intellectual property.


There isn't "intellectual property", there is copyright, utility, patents, trademarks, design patents, ship hull design rights, and a bunch of others.

What's the law that gives people in some jurisdictions exclusive rights over collected data? Is it copyright again? I ask because I would like to learn more about this law, and it's difficult to do so if I don't even know what it's called. The term "intellectual property" adds confusion towards understanding the particulars.

Btw, as an interesting bit of trivia, the lack of copyrightability of data is why we have fun things like paper towns and other copyright traps:

https://en.wikipedia.org/wiki/Phantom_settlement


This is jurisdiction-specific; the UK has a right in databases (as part of EU law) but the US has an "originality" requirement.


Although in some jurisdictions such a right exists, it is not copyright.

The US constitution limits the restrictions on free speech caused by copyrights and patents and does not allow generic database rights systems that you find in the EU.


Or indeed, houses. E.g. postcode database.


As a reference data point, the official UK Postcode database:

https://data.gov.uk/dataset/national-statistics-postcode-loo...

:)


If they have this much trouble with security imagine what else they might be failing at unbeknownst to us.


drinking water without it dribbling out the corners of their mouths?


It seems to be a random occurrence, I was able to trigger a pull of the infected page with the full request records:

https://tools.pingdom.com/#!/dWEfQI/http://www.equifax.com/f...

Interestingly, I ran into a similar issue with Yahoo earlier this week serving almost identical advertisements so this may be more widespread.


I used to work for Experian (I know, not Equifax, but it's an equivalent company).

None of this surprises me. These companies will do anything they can to protect and maintain revenue streams. This includes avoiding security.



Makes me think. Can I ask my bank to stop sharing my data with Equifax. Would they honour the request? Anyone working for a bank, what do you think?


At least in the UK it's a legal requirement for banks to share details with credit rating agencies, so no, they couldn't if they wanted to.


Credit rating agencies provide ratings for securities (e.g. corporate bonds). Their clients choose to pay them to issue ratings, so that the buyers of the securities will be more likely to buy them.

Credit reference agencies (Experian, Equifax, Callcredit) collect information about individuals and provide that information (credit history) to lenders for a fee.

There's no statutory obligation for banks to provide information to CRAs[0]. But agreements between CRAs and their clients (banks and lenders) generally requires that, if bank A uses CRA B to get info on prospective customers, then bank A must also report details of all its customers to CRA B.

There's some truth to what you said, though. It's often a problem for SMEs (small/medium businesses) to get loans. And, since only the bank they use for day-to-day banking has a good idea of their creditworthiness, they can't easily shop around to other banks. So there's legislation which forces the largest banks to make that information available to 3 CRAs, which must provide them to any lender which asks. BUT this only applies to SMEs (not consumers) and any SME can opt not to have their information shared in this way.[1]

[0] https://ico.org.uk/for-the-public/credit/ "As there is no DPA requirement for lenders to report such data to the credit reference agencies, it is up to the lender to decide which credit reference agency they wish to use, if any."

[1] https://www.gov.uk/government/publications/designation-of-ba...


Can you give any more information about that, please?

Certainly when you apply to use financial services in the UK the terms often include consent to share your data with credit reference agencies, but this is the first time I've ever seen a suggestion that banks were required by law to do so.

If that's the case then, given the demonstrable incompetence of Equifax, that law should be changed immediately!


I don't believe that's true. (If it were, I could set up a credit rating agency, have all the banks share details with it, and then have free credit reports for my own (hypothetical) consumer lending business, rather than paying a pound or two for each pull.)

Care to cite the specific law? I'd be very interested in knowing, if such a law exists.


Oh, you think it's a fair playing field?

If you're not old chums with the right person in government, you won't be classified as a credit rating agency.


I assume that there has to be a legal definition that outlines what will qualify a business as a credit rating agency. The requirements are probably cumbersome, but something must be written down somewhere to objectively define the requirements.


What counts as objective is determined subjectively by people with vested interests.


As soon as I clicked reply, that thought immediately jumped into my head.


I don't know much about UK law and this one in particular, but in theory the eligible companies could be listed in the respective law.


Too late to edit, but small correction: the comment to which I replied talked about 'credit rating agency' (the companies that rate corporate bonds) when I believe they meant 'credit reference agency' (the companies that sell credit histories).

I repeated the error. In my comment, I meant 'credit reference agency', not 'credit rating agency'.


Does Randy Abrams has a website? Does anyone knows anything else about the source?

EDIT: Found it: http://randy-abrams.blogspot.com


So which IT employee is going to be thrown under the bus this time?


These people need to spend some money and get some good IT staff. The people at the top are getting all the cream, while the people that actually keep things going need an upgrade.


Equifax (and other sites that should care about security) should use Subresource Integrity, which prevents resources from being hijacked.

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...


CSP.


,


what. again?


What's their excuse this time ? A single worker brought in a cat that bit our entire server facilities power supply ? Or some random guy who handled credentials was picked up by Aliens.


You know how "admin:admin" aren't very good credentials for a supposedly secure production system dealing with sensitive information? Well, turns out, neither is "admin123"


Issue closed. Credentials updated to admin123! For increased security.


Can we keep this noise on Reddit?


Aliens would be about the only acceptable excuse.

Russian aliens.


Mars is Red. Coincidence?


Since when is it ok to publish this without a single shred of evidence to support the dude's claims?

Laughable to say the least.

Dude probably got owned locally.


Just tried http://www.equifax.com/fcra myself...it redirects to obviously shady sites, right now.

Edit: Currently it's doing it only for specific client user agents. Try an android one. This javascript is driving part of it: https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/se...

Edit: Found the bad bits. They are here: https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

See the part that starts with document.write()

Edit: maybe a red herring. Sure looks shady though.


What's the stack used for the real https version? I got redirected there (I guess malware doesn't like Safari desktop or uBlock origin saved me) and felt like I fell through a time warp to 2007 (update: 2004, in actuality) with the form Equifax presents. So much low-res skeuomorphism I almost got nostalgic.

Not necessarily related to the security issues, just curious.

Edited to add: The site has a Copyright of 2004. None of the JS tools are later than that. Is this really the current site in use? Unchanged for 13 years... wow. Would be sorta cool, you know, if it wasn't completely hacked.


Not at all, the site is definitely compromised. Someone posted a link[0] that when I opened on mobile is redirecting to a malware site. Confirmed on two separate Android devices running 7.1 + Chrome.

[0] https://news.ycombinator.com/item?id=15456533


Want evidence? Click the link. Unless realcasinoslots.com is a creative new revenue stream for Equifax, the site has been hijacked.


> Unless realcasinoslots.com is a creative new revenue stream for Equifax...

I'm not sure if that'd increase or decrease their sleaze factor.


Maybe I’m not aware but I’m pretty used to just trusting large news outlets with good credibility on things like this




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: