Credit-reporting agency Equifax, which has been embroiled in a richly-deserved sea of anger after losing the sensitive personal and financial info of at least 145 million people to hackers, found itself in yet another hole this week after its website began redirecting users to malware . On Friday, the Wall Street Journal reported the problems with the site began because Equifax was still using a defunct web analytics plugin called Fireclick which had since been taken over by scammers.
Malwarebytes Corp. researchers investigated the matter and discovered that Digital River, the company which made Fireclick, discontinued the service in mid-2016 and subsequently released the Netflame.cc domain where it was hosted. That domain was subsequently acquired by scammers and used to host “fraudulent online surveys, adware and software designed to steal online-banking credentials,” Malwarebytes analyst Jerome Segura told the Journal, adding that he had discovered a similar security hole on competitor TransUnion’s Central American site.
According to the paper, the likeliest explanation is Central Source LLC, a joint venture between Equifax and TransUnion to run annualcreditreport.com which had a Fireclick contract which expired in May 2014.
Picking up expired or abandoned domains is a common tactic to lure unsuspecting web users into clicking on sketchy sites or to hijack obsolete code running on older websites. Per Ars Technica, the compromised plugin in question allowed the unknown third party to redirect visitors to Equifax’s website to numerous separate domains serving bogus Flash downloads. The fake download was identified by Symantec as Adware.Eorezo, a program which loads ads on users’ computers, and is only listed on the Symantec, Panda and Webroot malware databases.
After news its website was hijacked spread, the IRS suspended a contract with Equifax to have the company verify taxpayers’ identities after pressure grew from the Senate Banking Committee and the public. [Wall Street Journal]