Clicking Flash Update on the Equifax Site Results in Adware

In the wake of May’s Equifax website breach that reportedly involved personal data of 145.5 million U.S. consumers, the credit reporting service’s site was manipulated again this week. On Wednesday, and again on Thursday, fraudulent Adobe Flash updates appeared that infected computers with adware when clicked. Only three of 65 antivirus providers detected the adware. Security analyst Randy Abrams discovered the issue while investigating false information that had appeared on his credit report. Meanwhile. federal legislators have introduced a new cybersecurity bill to help protect consumers.

Abrams was intrigued when he came across the fraudulent updates. “To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once,” notes Ars Technica. However, after experimenting, Abrams “encountered the bogus Flash download links on at least three subsequent visits.”

Equifax_Logo

Apparently, only Panda, Symantec and Webroot were successful in detecting the downloaded file as adware.

“It’s not yet clear precisely how the Flash download page got displayed,” Ars explains. According to “separate malware analysis from Payload Security … the code is highly obfuscated and takes pains to conceal itself from reverse engineering.”

“The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont … make a strong case that Equifax was working with a third-party ad network or analytics provider that’s responsible for the redirects. In that case, the breach, technically speaking, isn’t on the Equifax website and may be affecting other sites as well.”

According to Fortune, a company spokesperson explained that Equifax IT and security teams are “looking into this matter and, out of an abundance of caution, have temporarily taken this page offline.”

Meanwhile, legislators are working to prevent massive breaches from happening in the future. Congressman Patrick McHenry introduced a bill yesterday called the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act.

“The PROTECT Act, if passed, would lead to federally mandated cybersecurity standards for credit bureaus, along with inspections to ensure compliance,” explains Fortune. “It would also stop credit bureaus from using Americans’ social security numbers as a means of identification, and ‘create a national framework for credit freezes so that victims of identity theft, active military personnel, people over 65 years of age, and children are protected.’”