This site may earn affiliate commissions from the links on this page. Terms of use.

Picard-Facepalm-Feature

Karl Marx once famously remarked that history was known to speak twice, "kickoff as tragedy, the second time equally farce." Information technology's i of his nearly famous quotations, and information technology'due south ridiculously applicable to the latest events in the blazing dumpster burn down that is Equifax. Before today, we reported that Equifax acknowledged losing 11 1000000 US driver's licenses and leaking data on some 15 million citizens in the Great britain. At present nosotros've striking another "milestone"–a U.s.a. security researcher reports existence served malware multiple times from the Equifax website.

To summarize: The visitor that caused the worse information alienation in Us (and possibly global) history, whose blatant security malpractice led to the firing of its CEO, CIO, and CSO, has at present been serving malware, courtesy of what appears to exist a compromised advertising partner. A video Ars Technica posted below shows the redirect attack in action.

The written report said security researcher Randy Abrams visited the site, hoping to correct some faux information in his credit written report. Once there, he was hit past several redirects, followed by a Flash player install. This sort of attack is the kind of lowest-mutual-denominator that focuses on non-technical users. But given how many not-technical users were impacted by Equifax'due south terrible life choices, it'southward not crazy to recall some of them will wind up fooled.

The attack in question is called Adware.Eorezo, and information technology's listed equally attacking Internet Explorer (the attacks shown in the video higher up happen on Border). Only while Adware.Eorezo has been out in the wild since 2012, it'south clearly been upgraded for this particular push. Abrams reports that he was served the malware repeatedly when he reloaded the website, and that just a few of the online virus scanners could detect he was beingness handed malware at all.

If the malware payload was beingness hosted by a third-political party site and injected into Equifax, then technically information technology's not Equifax doing the distributing. Only in that location'due south a problem with that line of argument. Equifax may not be responsible for the malware's distribution, but information technology's still responsible for the feel people have on its own website. This very much includes non relying on third party analytics or advertising networks, if that's the only way to be 100 percent sure that the feel people have on-site is actually safe. Anything else, and yous're running the now-demonstrated risk people who show upwards wanting to protect or investigate their credit reports volition really take their data stolen over again. Mobile users too appear to have been affected.

Equifax sent an update to Ars, writing:

We are aware of the situation identified on the equifax.com website in the credit report assist link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes bachelor or we have more than data to share, we will.

Tragedy and farce indeed.