Equifax website hit by malvertising – will the pain never end?

We suspect that you’ve heard the proverb, “It never rains but that it pours”.

It means that when bad stuff starts, you often get a whole lot of it hammering down on you – a literary way of suggesting that things are going to get worse before they get better.

People have been saying that proverb for 300 years or more, but it could have been written especially for Equifax, the way things are going.

First there was the breach, then the silly domain name, then the tweet that advertised a mis-spelling of the silly domain name, then the news that the breach was bigger than first thought, and then the news that the breach was bigger than first thought by more than was first thought.

How do you top that?

According to security blogger Randy Abrams, you top it by getting hit by malvertising.

That’s when a third-party company that you trusted to deliver content into your website (ads, perhaps, or some sort of tracking service)…

…screws up and delivers dodgy content that turns your site into a temporary but visible purveyor of tat.

Abrams published a short video showing him browsing to Equifax’s signup page to request a personal information check – as you might do after a breach.

(Abrams says he was signing up so he could check his data because he suspected there might be a mistake in it that he wanted to correct.)

He started here:

But then you see his browser quickly bouncing him through a sequence of third-party domains, ending up on a content delivery network called centerbluray, which promptly offered up a fake Flash Player Install that claimed it would update you to the latest version of Flash:

As Abrams drily quipped on his blog:

Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.

What happened?

According to Reuters, Equifax explained the blunder as follows:

The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.

In a word, malvertising, which we defined above.

The page that Abrams was on when the SNAFU happened now redirects to an Equifax holding page that tells the story rather differently (and uses an unencrypted, unauthenticated HTTP page to present its upbeat message about better service, too):

So, there you have it – Equifax is “working diligently to better serve you.”

As we said at the start, it never rains but that it pours.


This is a Security Bloggers Network syndicated blog post. Read the original at: Naked Security - Sophos 2017-10-12.