It’s been a bad month for the credit reporting agency Equifax. Not since BP’s Deepwater Horizon spilled more than 200 million gallons of oil into the Gulf of Mexico has a company so comprehensively shredded its credibility or outraged the public as Equifax did when it revealed in September a cyber-breach had compromised the data of 145 million people.
By those standards, Thursday’s news the company’s website has been caught up in another cyber attack, this time redirecting users to a nearly undetectable bit of malware, almost feels like small potatoes. But the brazenness of the hackers — and the website’s seemingly glacial pace in responding to the latest breach — is staggering in its own way. Ars Technica reports what independent security researcher Randy Abrams found when he happened to visit the site to report incorrect information on his credit report.
The site that previously gave up personal data for virtually every US person with a credit history was once again under the influence of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits.
Here’s a video Abrams made showing how the Equifax site redirected users toward the malware, which is so cleverly engineered that only three out of the top 65 antivirus programs could even detected it.
According to Ars, it’s unclear whether the redirect is the result of a direct attack on Equifax or if the fault lies with another party the company had partnered with to provide advertising or analytics services. Abrams also reported the redirect to the malware was gone for a period of time late Wednesday night but was back Thursday morning.
Equifax has now shut down that section of the site out of what it termed in a statement “an abundance of caution.”