Decommissioned Web Analytics Script Abused to Serve Malware to Equifax and TransUnion Visitors

After additional information regarding the Equifax breach was revealed last week, an independent security analyst discovered that Equifax’s credit report assistance website was compromised and redirecting visitors to a malicious website that attempted to download adware disguised as a fraudulent Flash Player update. A few hours later, a Malwarebytes researcher discovered that TransUnion’s Central American website was also compromised and attempting to deliver the same update. The researcher noted that some visits to the site resulted in the attempted delivery of an exploit kit. Additional analysis revealed that both compromised sites contained fireclick.js, a JavaScript (JS) file belonging to a decommissioned web analytics platform previously owned by ecommerce company, Digital River. This JS file was coded to contact the domain netflame[.]cc to transmit data between the host server and contracted websites. However, Digital River stopped using the platform and let the registration for netflame[.]cc expire in October 2016. A malicious actor purchased the newly available domain and used it to serve malware to sites that still loaded the fireclick.js script. These incidents highlight the risk posed by embedded elements within websites designed to pull content from remote servers that are not in direct control of website administrators. The NJCCIC recommends website administrators regularly conduct website audits to identify and remove code and elements that are no longer needed, especially those that contain vulnerabilities or establish communication with remote servers. Additionally, any website visitors who were impacted by this malware campaign are encouraged to scan their systems using reputable antivirus software. Users can protect themselves from this type of threat by installing a reputable ad-blocking and script-blocking extension to their browsers and denying any unexpected prompt to install updates for Flash Player or other software after visiting an unrelated website.