Security Error Could Have Been Exploited to Phish Data, Distribute Malware
The Australian website for credit bureau Equifax would seem to be an unlikely place to find promotional material for “Patent Law Basics for Chemists and Research Professionals” – a 275-page tome scheduled to be released next year.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The site would also seem to be a strange place to see an advertisement for a video stream of Sweden vs. France – a recent World Cup soccer qualifying round – or an advertisement for another such match, Latvia vs. Portugal, written in Latvian.
But Equifax’s Australian website played host for an unknown period of time to PDFs placed by scammers, apparently to promote – at least in part – pirate live-streaming services for NFL and World Cup soccer matches, among other types of content.
That finding raises further questions about the information security practices in place at Equifax, which on Sept. 7 warned that it had been breached, and that personal details for what it now says were 145.5 million U.S. consumers, as well as some British and Canadian consumers, were exposed.
Since then, the picture of the company that has emerged appears to be one of a highly profitable firm that sold data about consumers – in effect, the company’s product – but due to security oversights failed to properly secure that data, leading to a majority of U.S. adults becoming data breach victims.
Equifax’s security oversights, however, appear to have also extended to its Australian operations, an investigation by Information Security Media Group shows. Over a three-month period earlier this year, one of Equifax’s web applications allowed anyone to upload arbitrary files onto Equifax servers and then remotely access those files.
While it doesn’t appear that Equifax’s Australian website was exposing consumers’ personal details, security experts say the company’s mistake – including the ability for outsiders to place files on an Equifax server – could have facilitated identity theft schemes by cybercriminals, or worse.
“The ability to place files on a server is definitely a concerning event,” says Alex Holden, CTO for Wisconsin-based security consultancy Hold Security. Holden is a veteran information security investigator credited with discovering the massive breaches at Adobe Systems and the retailer Target in 2013.
Because Equifax is a well-known brand, links containing documents from its domain are more likely to be trusted and opened by individuals. That offers all kinds of opportunities to trick potential victims into divulging personal information or executing malware.
In a one-sentence statement sent to ISMG on Tuesday, Equifax didn’t address how the flaw could potentially have been misused.
“We are constantly enhancing our systems; we can confirm that there was no unauthorized access of data,” Victor Leung, an Equifax spokesman, tells ISMG.
The uploaded files included dozens of PDFs that advertised pirated movies, sports-related video streams and books, and clearly should have never been on Equifax’s website. The fact that outsiders were able to obtain access to Equifax’s server, however, and use it as part of a link-spam scheme, calls into question the credit bureau’s data security acumen, especially in what is a relatively new market for the company.
Equifax didn’t have a presence in Australia until February 2016, when it completed its biggest-ever acquisition, paying $2 billion for a credit bureau called Veda. Thanks to the acquisition, Equifax claims that it is now the largest source of business data and credit records in Australia and New Zealand.
The intrusion into Equifax’s Australia website is still documented in a scattering of Google’s search results, which is how ISMG discovered that its Australian site may have been breached.
The offending files have since been excised from Equifax’s servers, indicating that the company eventually caught on. But some of the PDFs can still be found on the internet. One, which advertises a live stream of the NFL, contains an embedded link to a URL shortener that then redirects to cbwebreviewer[dot]info. That domain then redirects to yet another domain that appears to be a pirate streaming service.
There are also indications that Equifax.com.au wasn’t the only organization in Australia affected by this kind of issue, which is referred to as comment or link spam.
Spammers Crave Legitimate Domains
The holy grail for link spammers is to compromise high-profile and highly trafficked domains. Equifax would be a prime one. Paired with Equifax’s valuable domain name, someone looking for pirate streams of video might chance upon such an advertisement on the first page of Google results, leading to a link on Equifax’s official Australian site.
“The more reputation the site has, the more likely it will be indexed [higher],” Holden says.
It’s difficult to tell actually how many files spammers landed on Equifax.com.au. But there are indications that between June and August, they successfully placed at least 75 files.
That’s how many of the suspicious links were manually submitted to Urlquery.net, which is a link-scanning service set up by security researcher Lars Olav Gigstad. Urlquery checks a link for the presence of malicious content.
Although 75 links were submitted to URLquery earlier this year, Gigstad says he reconfigured the service around July and no longer has the original reports generated by the service. But Gigstad says he did have enough log information to identify the suspect Equifax web application targeted by spammers: Drupal, an open-source content management system.
More Evidence of a ‘Loose Shop’
It’s difficult from the outside to tell if the link spammers exploited a software vulnerability in Drupal or a misconfiguration. But scammers and cybercriminals constantly scan the web for misconfigured sites or vulnerabilities that they could potentially compromise.
With Equifax.com.au, “we don’t know what was exploited, how it was exploited, and if it was exploited fully,” Holden says.
If the link spammers exploited a software vulnerability in Equifax’s Drupal installation, it could be a sign – as with the U.S. Equifax breach – of lax patching practices. The attackers behind the exposure of 145.5 million U.S. consumers’ personal details took advantage of a vulnerability in Apache Struts, a web application framework used by Equifax (see Equifax’s May Mega-Breach Might Trace to March Hack).
Since Equifax disclosed the U.S. breach on Sept. 7, researchers and observers have found further problems at the credit bureau.
Holden found that Equifax did a poor job securing an internal customer service portal for the company’s Argentinian operations – the portal’s username and password were both set to “admin.” The portal was storing national identity numbers for at least 14,000 Argentinians who had filed credit-related disputes, meaning that data could potentially have been exposed to attackers (see Equifax’s Latest Data Leak: Argentina).
On Equifax’s Australia site, aside from PDFs, it’s unclear what other types of files might have been uploaded to the Drupal installation. The Drupal settings may have restricted allowing file types – just PDFs – or could have accepted anything, from HTML files to malware executables.
In theory, if it’s possible to write to a server, it’s usually possible to upload any type of file, one way or another, says Nick Ellsmore, co-founder of the Sydney-based cybersecurity consultancy Hivint. Ellsmore cautions, however, that there’s no evidence that scammers uploaded anything more than PDFs to Equifax’s Australian website.
But scammers’ ability to place files onto Equifax’s own servers reflects poorly on the credit-reporting agency’s information security practices, Ellsmore says. “Everything that is coming out is highlighting that Equifax were running a pretty loose shop, and this is just more evidence to support that.”