Embattled credit reporting firm Equifax had another security stumble as a website hack led to users to a drive-by...
download attack, and a security researcher found a similar issue affecting another credit reporting agency in TransUnion.
In both cases, the drive-by download attacks were blamed on third-party scripts that had been compromised with malvertising. Randy Abrams, an independent security analyst, discovered the Equifax website hack while intending to check information from his personal credit report. Abrams found the Equifax website redirected to a page trying to deliver adware through a fake Adobe Flash installer.
Segura noted that Fireclick is a "legitimate analytics company," but its script was compromised and pointed to a number of domains before the drive-by download attacks led to a fake Flash installer.
Chris Olson, CEO of The Media Trust, said the companies should not try to shift blame for these website hacks.
"Contrary to what Equifax claims, they are clearly at fault for allowing their website to be used to surreptitiously distribute malware to unaware consumers. It doesn't matter that a third-party hosted the malicious file or that this consumer-facing website is not connected to internal systems or databases," Olson told SearchSecurity. "Despite the complex and highly-dynamic nature of the internet, Equifax has a responsibility to control their digital vendors and assets."
Both Equifax and TransUnion confirmed the drive-by download attacks in separate statements and both also claimed that company systems were not compromised in the incidents.
"Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal," a spokesperson said in a statement. "The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."
Reactions to the website hacks
Richard Henderson, global security strategist at Absolute, said it's "hard to feel sorry for Equifax after all of the troubles and missteps they've taken, but in this case it doesn't appear that this incident is entirely their fault."
Olson said the current situation with Equifax is "stunning" considering a website flaw led to the original breach of user data.
"It is one in a series of missteps and highlights general enterprise ignorance of how websites function. Considering the fallout from the first breach, Equifax should have anticipated additional compromises and taken defensive steps to identify all parties contributing code to all of their websites. If market performance is anything to go by, there is no doubt that Equifax has lost consumer trust."
Ultimately though, Henderson doesn't think Equifax deserves sympathy for the drive-by download attacks, because "after all of the recent events and the incredibly long amount of time it took them to let us all know something happened."
"There should have been a complete, comprehensive, and exhaustive audit and analysis of every customer-facing asset and a new risk assessment done," Henderson said. "Based on the staggering amount of other issues found throughout their infrastructure all over the world, it's clear that wasn’t done or hasn't been completed yet."
Learn how enterprises can defend against malicious ads
Find out the difference between drive-by login and drive-by download attacks
Get info on how the risk of DNS attacks goes beyond websites