Webroot, one of only three antivirus providers to detect latest Equifax hack

  • 13 October 2017
  • 5 replies
  • 27 views

Userlevel 7
Badge +48

 
Reports have surfaced that the Equifax website may have been hacked again. According to PC Mag, "visitors to the site were offered a fake Flash Player update that installed adware."
 
Webroot was one of only 3 antivirus providers (out of 65) to detect and block the adware, according to data from VirusTotal.com. 
 
"Webroot first encountered this threat in early 2016. We've seen this specific file blocked on thousands of computers worldwide. Adware is a gray area, so it explains why only a few antivirus proivders caught this."
- @, Sr. Threat Research Analyst
 
More on PC Mag and Forbes

5 replies

Userlevel 7
Badge +56
Much more info here: https://community.webroot.com/t5/Security-Industry-News/Equifax-Site-Hacked-Again-Links-Redirect-Users-to-Malicious-URL/m-p/303706#M37699
Userlevel 7
Badge +56
Well this doesn't look right? https://www.virustotal.com/en/file/6153f429c0cedc721846e60255834ae0f43829cc6a387b766de6f301dab54eca/analysis/
 

Userlevel 7
Badge +48
I had to doublecheck with Threat on this.
 
We marked the first sample a year ago and changed the name of the determination. As shown above, the first sample that the agent saw was in 2015.
 
The timeline seems to be: 
1) First seen in Dec 2015
2) First determined Jan 2016
3) Determined PUA/Adware in Jul 2016
4) Name of determination changed Oct 2017
 
I'm not sure what exactly is going on VirusTotal though. Tricky one! 
Userlevel 7
Badge +24
That MD5 determination look up that available publicly only shows date for last time anything was changed in determination or categorization. We've had this determined bad for well over a year, but we have changed the category on the file a couple times between pua.downloadmanager and w32.adware. In this scenario the MD5 lookup tool only refers to the last time a categorization change happened - even thought the determination of bad has never changed. I do apologize as that is quite confusing but rest assured it's been blacklisted in our database for over a year.
Userlevel 7
Badge +56
@ wrote:
That MD5 determination look up that available publicly only shows date for last time anything was changed in determination or categorization. We've had this determined bad for well over a year, but we have changed the category on the file a couple times between pua.downloadmanager and w32.adware. In this scenario the MD5 lookup tool only refers to the last time a categorization change happened - even thought the determination of bad has never changed. I do apologize as that is quite confusing but rest assured it's been blacklisted in our database for over a year.
Thanks Tyler! Maybe it would be a great idea to add that to the MD5 determination look up? First Detected Bad or First Bad Determination then it would not be so confusing?
 
Daniel

Reply