Equifax Hack: Credit Firm Website Redirects Users To Adware
Update, 5:40 p.m.: A spokesperson from Equifax provided International Business Times with the following information about the company's site redirecting users to adware:
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”
Original story: Barely one month removed from a massive data breach that exposed personal information of more than 145 million Americans, Equifax appears to have been compromised again. This time its website directed visitors to a malicious malware download, Ars Technica reported.
For an undisclosed amount of time earlier this week, the Equifax website would redirect users attempting to access their credit score to a fraudulent Adobe Flash update screen. Users made the mistake of downloading the update were infected with a difficult to detect form of adware.
The malicious download was first discovered Wednesday by security analyst Randy Abrams, who visited the credit reporting firm’s website with the intention of contesting false information that he discovered on his credit score.
Instead, Abrams found himself redirected away from the Equifax website to a suspicious domain listed as “hxxp:centerbluray.info.” Once the page loaded, it displayed a pop up insisting the visitor needed to update Adobe Flash Player.
While Abrams knew what he was looking at, many users may not. The victims of the attack hosted on Equifax’s site have the displeasure of being infected with malicious software known as Adware.Eorezo. The attack injects fraudulent advertisements into a victim’s browser in an attempt to generate revenue for the attackers.
The adware attack is delivered to a victim’s computer through a download labeled as MediaDownloaderIron.exe. According to the virus tracking site VirusTotal, just three out of 65 popular anti-virus tools successfully recognize the download as malicious.
According to Abrams, the phony Flash download appeared for him on three subsequent visits, suggesting the attack was persistent and may have been displayed any thousands of other visitors who may not have recognized it as malicious.
Other visitors to the site expressed a similar experience, stating they were often redirected away from Equifax's services and sent to a different domain that would often request the user download something or present them with an advertisement designed to tempt them to click on it.
Often times in attacks like this, the domain redirect will not always occur in order for the attackers to go undetected for longer. It’s not clear at the moment if the attack has been addressed by Equifax and removed from the site or if the threat actors behind it are simply remaining dormant for the time being.
"We are aware of the situation identified on the equifax.com website in the credit report assistance link," an Equifax spokesperson told International Business Times. "Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will."
It’s possible the attack is not the result of a direct compromise of Equifax’s site but rather a third-party advertising network the company works with. Regardless if it is due to a direct breach or an indirect action of a partner, one would imagine Equifax would want to take swift action to cut off attack so as to not expose its users.
Even if the attack was present for just a short period of time, it is possible many people could have been exposed to it.
During his testimony in front of Congress last week, the former Equifax CEO Richard Smith said the company received more than 420 million visits to the security site set up in the wake of the data breach that may have compromised millions of Social Security numbers. It seems likely the company’s primary website saw a spike in traffic as well, as users attempted to place a freeze on their information or take other security measures.
Chris Olson, CEO of security firm the Media Trust, described the situation to IBT as "ridiculous," calling it yet another major misstep by an organization that should be equipped to handle such issues.
“Equifax, and for that matter any enterprise, should first identify and manage all third parties contributing code to their websites and get their own house in order," he said. "This incident should serve as a warning for any website operator to know and control vendor risk in the digital world—all website code, both first and third party, should be continuously monitored to avoid these scenarios.”
© Copyright IBTimes 2024. All rights reserved.