Equifax Takes Down Compromised Page Redirecting to Adware Download

Equifax has temporarily taken down one of its consumer-facing credit report services after the webpage was compromised and serving adware via a phony Flash Player download.

Update: Equifax said Thursday afternoon that it was not compromised and instead confirmed it was a third-party partner’s code running on the Equifax site that was serving adware. Below is Equifax’s statement:

“Despite early media reports,  Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.  The  issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”

Equifax has temporarily taken down one of its consumer-facing credit report services after the webpage was compromised and serving adware via a phony Flash Player download.

The discovery was made by independent security analyst Randy Abrams, who posted a brief report and video, below, about the incident Wednesday on his personal site.

Equifax acknowledged the compromise in a statement provided to Threatpost.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link.  Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline,” an Equifax spokesperson said. “When it becomes available or we have more information to share, we will.”

The incident compounds the severity of the cloud hanging over the credit reporting agency since it disclosed on Sept. 7 that it had been breached and the personal data of 145 million Americans and others worldwide had been stolen. The breach has already cost Equifax’s chief executive, chief technology officer and chief information security officer their jobs and has made it the latest poster child for mega-breaches.

Users who click through today to the affected webpage are getting a notice from Equifax apologizing that the site is down for maintenance.

Abrams told Threatpost that after the Equifax breach, he signed up for its Trusted ID credit monitoring service. He was alerted that Experian had made a change to his credit report that was incorrect. As he sought assistance through the Equifax site, he was presented with a redirect to a page hosting the Flash Player download.

“I clicked on the button and up comes Flash Player. Now I’m seasoned, I know better,” Abrams said. The situation wouldn’t immediately replicate for Abrams, but he said that after he cleared his cache and used a VPN to connect, he was able to repeat the incident several times. Abrams sent Equifax a direct message on Twitter and emails to the community looking for internal contacts.

It’s unknown how long the page had been compromised, nor how the attackers were able to take over the page and force it to redirect users’ browser to the site hosting the adware.

“It’s pretty stealthy adware,” Abrams said. “I’m pretty confident they had it taken down, or I don’t know, maybe the bad guys got wise to it because of the number of hits going to their page.”

The executable is called Mediadownloader.exe, according to a sandbox analysis shared by Abrams. From the video Abrams took of the attack, there are five distinct redirects before the browser hits the landing page at cdn[.]centerbluray[.]info. A thread on Hacker News reacting to an Ars Technica report on the attack theorized that the malicious script being loaded on the Equifax page was being injected by a compromised analytics provider, indicating this could compromise could have originated via a malicious ad network.

“I’m glad it’s down,” Abrams said. “I’d rather have the information page available to customers, but I’m glad it’s not causing damage.”

This article was updated Oct. 12 with a revised statement from Equifax. 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.