A security researcher noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to websites set up to serve adware and scams.
Independent security analyst Randy Abrams wanted to find his credit report on Equifax’s website when he was redirected to a website offering a fake Flash Player installer. The browsing session was taken through multiple domains before the final page was reached.
It’s not uncommon for cybercriminals to deliver malware using fake Flash Player installers, but in this case the website pushed adware.
The Equifax webpage, hosted at aa.econsumer.equifax.com, did not redirect the connection when accessed by SecurityWeek on Thursday morning. Abrams believes Equifax removed the malicious code from its website sometime on Wednesday.
An analysis of the domains involved in the redirection chain shows that they can lead not only to adware. The final destination depends on the type of device and the geographical location of the user.
SecurityWeek has seen redirects to fake Android and iOS updates, premium SMS services, and other scammy sites. Various online security services detect the domains involved in the attack as malicious, and while there is no evidence of actual malware being served, the possibility cannot be ruled out.
After visiting the compromised site several times from the same device, the user is taken to a website belonging to a legitimate business that is likely trying to promote its site via ad networks or SEO (search engine optimization) services.
Contacted by SecurityWeek, an Equifax spokesperson stated, “We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.”
Equifax recently informed customers that hackers breached its systems after exploiting an Apache Struts 2 vulnerability that had been patched and exploited in the wild since March. The attackers gained access to the personal information of more than 140 million individuals, including hundreds of thousands of Canadian and British citizens.
“I’m really not trying to kick Equifax while they are down. There are already 150 million other people doing that. I just sort of tripped over them,” Abrams said in a blog post.
“I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines ‘deplaning’ a passenger… It hurts,” he added.
Many of Equifax’s cybersecurity failings came to light following the breach, including the fact that the company directed customers to the wrong website and website vulnerabilities.
UPDATE. After an investigation, Equifax determined that the problem was caused by a third-party vendor’s code. The company has provided the following statement to SecurityWeek:
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”
UPDATE 2. The same script also caused problems for another Big Three credit reporting agency, TransUnion.
Headline updated to remove the word “hacked”
Related: Scammers Offer to Sell Data Stolen in Equifax Hack
Related: New York Pushes to Regulate Credit Agencies After Equifax Breach