Karl Marx as soon as famously remarked that historical past was identified to converse twice, “first as tragedy, the second time as farce.” It’s one of his most well-known quotations, and it’s ridiculously relevant to the most recent occasions within the blazing dumpster hearth that’s Equifax. Earlier today, we reported that Equifax acknowledged shedding 11 million US driver’s licenses and leaking information on some 15 million residents within the UK. Now we’ve hit one other “milestone”–a US safety researcher reviews being served malware a number of occasions from the Equifax web site.
To summarize: The corporate that precipitated the more serious information breach in US (and probably international) historical past, whose blatant safety malpractice led to the firing of its CEO, CIO, and CSO, has now been serving malware, courtesy of what seems to be a compromised promoting companion. A video Ars Technica posted beneath reveals the redirect assault in motion.
The report stated safety researcher Randy Abrams visited the location, hoping to appropriate some false info in his credit score report. As soon as there, he was hit by a number of redirects, adopted by a Flash participant set up. This type of assault is the type of lowest-common-denominator that focuses on non-technical customers. However given what number of non-technical customers have been impacted by Equifax’s horrible life selections, it’s not loopy to suppose some of them will wind up fooled.
The assault in query is known as Adware.Eorezo, and it’s listed as attacking Web Explorer (the assaults proven within the video above occur on Edge). However whereas Adware.Eorezo has been out within the wild since 2012, it’s clearly been upgraded for this specific push. Abrams reviews that he was served the malware repeatedly when he reloaded the web site, and that only some of the web virus scanners might detect he was being handed malware in any respect.
If the malware payload was being hosted by a third-party website and injected into Equifax, then technically it’s not Equifax doing the distributing. However there’s an issue with that line of argument. Equifax is probably not answerable for the malware’s distribution, nevertheless it’s nonetheless answerable for the expertise folks have by itself web site. This very a lot consists of not counting on third celebration analytics or promoting networks, if that’s the one means to be 100 p.c sure that the expertise folks have on-site is definitely secure. Anything, and also you’re operating the now-demonstrated threat individuals who present up wanting to shield or examine their credit score reviews will even have their information stolen once more. Cell customers additionally seem to have been affected.
Equifax despatched an replace to Ars, writing:
We’re conscious of the state of affairs recognized on the equifax.com web site within the credit score report help hyperlink. Our IT and Safety groups are wanting into this matter, and out of an abundance of warning have quickly taken this web page offline. When it turns into accessible or we’ve got extra info to share, we are going to.
Tragedy and farce certainly.