This site may earn affiliate commissions from the links on this page. Terms of employ.

Picard-Facepalm-Feature

Karl Marx once famously remarked that history was known to speak twice, "first as tragedy, the 2d time as farce." It's one of his nigh famous quotations, and it's ridiculously applicable to the latest events in the blazing dumpster fire that is Equifax. Earlier today, nosotros reported that Equifax best-selling losing 11 million United states of america driver'southward licenses and leaking data on some fifteen one thousand thousand citizens in the United kingdom of great britain and northern ireland. At present we've hit another "milestone"–a Usa security researcher reports existence served malware multiple times from the Equifax website.

To summarize: The company that caused the worse data alienation in US (and possibly global) history, whose blatant security malpractice led to the firing of its CEO, CIO, and CSO, has now been serving malware, courtesy of what appears to be a compromised advertising partner. A video Ars Technica posted beneath shows the redirect attack in action.

The report said security researcher Randy Abrams visited the site, hoping to correct some imitation information in his credit report. Once in that location, he was hit by several redirects, followed by a Flash player install. This sort of attack is the kind of everyman-mutual-denominator that focuses on not-technical users. Only given how many not-technical users were impacted past Equifax's terrible life choices, it's not crazy to think some of them volition air current upward fooled.

The set on in question is called Adware.Eorezo, and information technology'due south listed as attacking Net Explorer (the attacks shown in the video in a higher place happen on Edge). Only while Adware.Eorezo has been out in the wild since 2022, information technology's conspicuously been upgraded for this detail push. Abrams reports that he was served the malware repeatedly when he reloaded the website, and that just a few of the online virus scanners could detect he was beingness handed malware at all.

If the malware payload was being hosted past a 3rd-party site and injected into Equifax, so technically it'south non Equifax doing the distributing. Only there's a trouble with that line of argument. Equifax may not be responsible for the malware's distribution, just it'southward even so responsible for the experience people accept on its own website. This very much includes not relying on third party analytics or advertising networks, if that'south the but way to be 100 percent certain that the experience people have on-site is actually safe. Anything else, and you're running the now-demonstrated risk people who testify up wanting to protect or investigate their credit reports volition really accept their information stolen again. Mobile users also appear to have been affected.

Equifax sent an update to Ars, writing:

We are aware of the situation identified on the equifax.com website in the credit report aid link. Our IT and Security teams are looking into this matter, and out of an abundance of caution accept temporarily taken this page offline. When it becomes bachelor or we have more than information to share, we will.

Tragedy and farce indeed.