Sophos Cloud Optix
We suspect that you’ve heard the proverb, “It never rains but that it pours”.
It means that when bad stuff starts, you often get a whole lot of it hammering down on you – a literary way of suggesting that things are going to get worse before they get better.
People have been saying that proverb for 300 years or more, but it could have been written especially for Equifax, the way things are going.
First there was the breach, then the silly domain name, then the tweet that advertised a mis-spelling of the silly domain name, then the news that the breach was bigger than first thought, and then the news that the breach was bigger than first thought by more than was first thought.
How do you top that?
According to security blogger Randy Abrams, you top it by getting hit by malvertising.
That’s when a third-party company that you trusted to deliver content into your website (ads, perhaps, or some sort of tracking service)…
…screws up and delivers dodgy content that turns your site into a temporary but visible purveyor of tat.
Abrams published a short video showing him browsing to Equifax’s signup page to request a personal information check – as you might do after a breach.
(Abrams says he was signing up so he could check his data because he suspected there might be a mistake in it that he wanted to correct.)
He started here:
But then you see his browser quickly bouncing him through a sequence of third-party domains, ending up on a content delivery network called centerbluray, which promptly offered up a fake Flash Player Install that claimed it would update you to the latest version of Flash:
As Abrams drily quipped on his blog:
Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.
What happened?
According to Reuters, Equifax explained the blunder as follows:
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.
In a word, malvertising, which we defined above.
The page that Abrams was on when the SNAFU happened now redirects to an Equifax holding page that tells the story rather differently (and uses an unencrypted, unauthenticated HTTP page to present its upbeat message about better service, too):
So, there you have it – Equifax is “working diligently to better serve you.”
As we said at the start, it never rains but that it pours.
Was it malvertizing? My understanding is it is an Fireclick analytics js that is implicated.
I hear you, but I am happy with the definition I came up with in the article, namely that malvertising is “when a third-party company that you trusted to deliver content into your website (ads, perhaps, or some sort of tracking service) screws up and delivers dodgy content that turns your site into a temporary but visible purveyor of tat.”
Technically, one could call this sort of blunder “malanalytics” or “maltracking”, and be dutifully specific, but then you’d need a different term for what is a very similar style of attack (poisoned third-party web content) for every type of content-injection service that might get compromised.
I figured that the word “malvertising” would do just fine – in the same way we use “malware” generically to describe a process that ends up with malicious software installed, no matter how it got in.
After all, what you end up with in this case is “malevolent content injected into your browser’s web stream, as part of a third-party service, in order to promote malicious or otherwise dodgy tat.”
The “malicious or otherwise dodgy tat” doesn’t even have to be malware at least in my book. Any sort of foistware, or disingenuous offer, or survey scam, or potentially unwanted app would justify calling a poisoned web stream “malvertising” in my book – the promotion of unwanted, unexpected or otherwise odious content of any sort makes it “malevolent advertising”, for which the word “malvertising” seems a perfect fit, even if that is extending that word’s original usage a bit.
Simply put, you could say that this is a “malvertising attack carried out through content injected by a compromised analytics or tracking comosny”.
Ok, but tat? Meriam’s dictionary suggests this is a biological noun for viral replication…
Stretch on Paul. I love to read you. 😎
I didn’t realise that “tat” in that context was British (or at least non-American, as you will hear it widely through the Commonwealth of Nations), so in case anyone is battling with the word, we’ll quote from the New Oxford American Dicitonary to explain it as:
Equifax is “working diligently to better serve you” up to identity thieves and other bad actors.