It's been just over a month since Equifax went public with news of a massive server breach that affected roughly half of the adult population of the United States and thousands more consumers in Canada and the U.K. Now, a security researcher has spotted an ad campaign spreading malware from the company's website.
As reported in the wee hours of the morning by Ars Technica's Dan Goodin, the malicious ads were designed to trick Equifax visitors into installing a fake Adobe Flash update. Randy Abrams, an independent researchers who clicked through to the site to contest recent suspicious activity on his credit report spotted one of the ads. A video uploaded to YouTube captured the process:
Abrams decided to investigate further. After being redirected to the fake Flash site, he downloaded the malicious payload it was pushing. An initial scan with VirusTotal showed that only three security apps -- Symantec, Panda, and Webroot -- flagged the file as being malicious.
The malware (which Symantec refers to as Adware.Eorezo) isn't particularly nasty. Its primary objective is to inject ads into Internet Explorer browser windows. Symantec has seen variants or Eorezo popping up on the Web since late 2012.
How is it that malicious advertising (shortened to malvertising in security circles) found its way onto the Equifax website? This sort of thing isn't exactly an uncommon occurrence. The New York Times has been hit in the past, as have AOL and Yahoo.
Typically, cybercriminals who perpetrate these attacks identify a popular website to target and then look for weaknesses in advertising code. Because of the recent flood of breach-related news, traffic to the Equifax has likely spiked. Cybercriminals Often that code -- and the entire advertising system -- belongs to a third-party provider and not the actual website.
So while Equifax most likely is not to blame for this latest gaffe, the company would do well to encourage any of its online partners to start identifying and fixing any security shortcomings. Equifax doesn't need another major incident on its hands.
Equifax has been contacted for an official comment and offered the following: "Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”
