[g051051]

So was it Equifax that was hacked, or Fireclick?

[tyingq]

Equifax. That url is Equifax controlled. It just mentions fireclick in a comment. Click the url for the js and you'll see that it does a document.write to inject a script that's an akamai cached copy from an obscure .cc domain hosted file...this one: https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/se...

[EverestBound]

Hostname on open threat exchange: https://otx.alienvault.com/indicator/hostname/hints.netflame...

[ryanlol]

This obscure .cc domain pretty obviously belongs (or used to belong, they let it lapse in 2016 and it was re-registered) to Fireclick.

[tyingq]

Update: The whois listing for the cc domain looks pretty odd. It's a person in Thailand, using a personal gmail address. Which would be odd contact details for a California company's domain. Possible of course, but unlikely.

See: $ whois -h whois.dynadot.com netflame.cc | grep Registrant

[tyingq]

Hmm. Perhaps not what I thought. Looks hacked and shady, but perhaps this isn't it.

[g051051]

Yeah, looks like a compromised ad/stats provider. That would also explain the intermittent nature of the bad download. I'd hope that the article gets updated with the facts...other companies might be vulnerable to this as well.