Karl Marx once famously remarked that history was known to speak twice, “first as tragedy, the second time as farce.” It’s one of his most famous quotations, and it’s ridiculously applicable to the latest events in the blazing dumpster fire that is Equifax. Earlier today, we reported that Equifax acknowledged losing 11 million US driver’s licenses and leaking data on some 15 million citizens in the UK. Now we’ve hit another “milestone”–a US security researcher reports being served malware multiple times from the Equifax website.
To summarize: The company that caused the worse data breach in US (and possibly global) history, whose blatant security malpractice led to the firing of its CEO, CIO, and CSO, has now been serving malware, courtesy of what appears to be a compromised advertising partner. A video Ars Technica posted below shows the redirect attack in action.
The report said security researcher Randy Abrams visited the site, hoping to correct some false information in his credit report. Once there, he was hit by several redirects, followed by a Flash player install. This sort of attack is the kind of lowest-common-denominator that focuses on non-technical users. But given how many non-technical users were impacted by Equifax’s terrible life choices, it’s not crazy to think some of them will wind up fooled.
The attack in question is called Adware.Eorezo, and it’s listed as attacking Internet Explorer (the attacks shown in the video above happen on Edge). But while Adware.Eorezo has been out in the wild since 2012, it’s clearly been upgraded for this particular push. Abrams reports that he was served the malware repeatedly when he reloaded the website, and that only a few of the online virus scanners could detect he was being handed malware at all.
If the malware payload was being hosted by a third-party site and injected into Equifax, then technically it’s not Equifax doing the distributing. But there’s a problem with that line of argument. Equifax may not be responsible for the malware’s distribution, but it’s still responsible for the experience people have on its own website. This very much includes not relying on third party analytics or advertising networks, if that’s the only way to be 100 percent certain that the experience people have on-site is actually safe. Anything else, and you’re running the now-demonstrated risk people who show up wanting to protect or investigate their credit reports will actually have their data stolen again. Mobile users also appear to have been affected.
Equifax sent an update to Ars, writing:
We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.
Tragedy and farce indeed.