Expired Plugin Further Frustrates Equifax Breach VIctims
By: Jim Stickley and Tina Davis
November 25, 2017
As if we haven’t been disappointed by the Equifax breach enough, there is more bad news for those who tried to visit the website shortly after the incident last month. Hackers exploited an old plugin used for website analytics to redirect users from the actual Equifax website to a fake one. It was discovered and reported by the Wall Street Journal that the product, called Fireclick had been taken over by scammers and used to steal confidential information, post fraudulent online surveys, and steal banking credentials, among other things.
This is an example of domain jacking (also referred to as do-jacking). This happens when a legitimate website is taken over or taken advantage of for the purposes of illicit activity. This issue wasn’t because the Equifax site was taken over, but because the plugin domain, Fireclick was taken over. However, this product has been unsupported since 2016 and was replaced with a new product, according to researchers at Malwarebytes. Equifax failed to replace it with the new one and bad actors figured out how to take advantage.
Any time you are notified that a product is going to be unsupported or discontinued, it’s important to pay attention and take action. Unsupported products don’t receive any patches should a vulnerability or issue come up once that date passes; no matter how critical the issue may be. There was only one exception several years ago with Windows XP. The issue was bad enough, that Microsoft still patched it; mainly because so many companies were still using their unsupported product. However, never count on this happening and it is very unlikely to happen with smaller products or even again with Microsoft.
As an organization, it is important to ensure you have a patching routine in place. While doing this weekly is a great idea, if something is released to repair a critical or security vulnerability, it should be applied immediately. Don’t wait for a regular patch cycle to do this.
Acquiring expired or abandoned domains is not uncommon for good or bad actors. However, it is a practice that is used frequently by hackers to lure users into visiting malicious websites. Sometimes the sites are “merely” presenting adware, but many times the intent is to steal confidential or sensitive information or to execute malware that can do extensive damage to a corporate network.
So don’t delay when you get notifications. The longer you wait, the more risk is presented to you or your organization.