Not a month has passed since Equifax suffered one of the most significant breaches in history only to find itself compromised… again. Unlike the data breach, this incident was a hack a site under Equifax domain. A link to Equifax’s Credit Report Assistance page was spotted redirecting user a malicious site requesting a bogus flash update.
The malicious site was first discovered by security analyst Randy Abrams when he was attempting to correct incorrect information regarding his credit report. The affected link is located the “Get Started” button on the website’s Credit Report Assistance Overview page under the “Other Ways to Obtain a Free or Discounted Credit Report.” header. After clicking the button, the browser would be redirected to a web address, centerbluray dot info, containing the fake update prompt.
– Video by Abrams depicting the affected site
Being a malware analyst, Abrams took this opportunity to see what this campaign was all about. Clicking the fake update ends up delivering a downloader, MediaDownloaderIron.exe, for the malwaretising program Adware.Eorezo. Equifax has since taken down the site and released a statement saying they are aware of the issue. They also state that their internal systems were not breached in this occasion. Further analysis shows that it was not Equifax that was hacked per se but a third party analytics vendor employed by them.
“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,”
“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.”
Francesca De Girolami – Equifax Spokesperson
This is a vulnerable time for Equifax given to their changes in leadership and updates in security infrastructure. They say bad things happen in three. Let’s just hope for Equifax and our sakes’ that is not the case. While technically the vulnerability was not in Equifax’s system. Nonetheless, the fact remains that it happened to their site and therefore are still responsible for it.