Equifax website hack blamed on drive-by download attack

Security researchers find drive-by download attacks affecting both Equifax and TransUnion, but Equifax claims systems were not compromised in the website hack.

Embattled credit reporting firm Equifax had another security stumble as a website hack led to users to a drive-by download attack, and a security researcher found a similar issue affecting another credit reporting agency in TransUnion.

In both cases, the drive-by download attacks were blamed on third-party scripts that had been compromised with Malvertising. Randy Abrams, an independent security analyst, discovered the Equifax website hack while intending to check information from his personal credit report. Abrams found the Equifax website redirected to a page trying to deliver adware through a fake Adobe Flash installer.

After Abrams findings on the Equifax website hack was first reported by Ars Technica, Jerome Segura, lead malware intelligence analyst at Malwarebytes, investigated a piece of JavaScript thought to be behind the drive-by download attacks -- fireclick.js. Segura said in a blog post that he couldn't research this script from Equifax's website because it was already down, but found it used by "another consumer reporting credit agency, namely TransUnion and their Central America website." 

Segura noted that Fireclick is a "legitimate analytics company," but its script was compromised and pointed to a number of domains before the drive-by download attacks led to a fake Flash installer.

Chris Olson, CEO of The Media Trust, said the companies should not try to shift blame for these website hacks.

"Contrary to what Equifax claims, they are clearly at fault for allowing their website to be used to surreptitiously distribute malware to unaware consumers. It doesn't matter that a third-party hosted the malicious file or that this consumer-facing website is not connected to internal systems or databases," Olson told SearchSecurity. "Despite the complex and highly-dynamic nature of the internet, Equifax has a responsibility to control their digital vendors and assets."

Both Equifax and TransUnion confirmed the drive-by download attacks in separate statements and both also claimed that company systems were not compromised in the incidents.

"Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal," a spokesperson said in a statement. "The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."

Reactions to the website hacks

Richard Henderson, global security strategist at Absolute, said it's "hard to feel sorry for Equifax after all of the troubles and missteps they've taken, but in this case it doesn't appear that this incident is entirely their fault."

"There are hundreds of thousands of other websites and assets online that follow a similar model of embedding third-party traffic analysis tools, advertising network scripts, you name it. All of these services are provided by third-parties and are usually simple JavaScript snippets that are placed inside the site's code," Henderson told SearchSecurity. "This is an industry standard practice, and unfortunately sometimes those third parties get compromised and are subverted to serve malicious content."

Olson said the current situation with Equifax is "stunning" considering a website flaw led to the original breach of user data.

"It is one in a series of missteps and highlights general enterprise ignorance of how websites function. Considering the fallout from the first breach, Equifax should have anticipated additional compromises and taken defensive steps to identify all parties contributing code to all of their websites. If market performance is anything to go by, there is no doubt that Equifax has lost consumer trust."

Ultimately though, Henderson doesn't think Equifax deserves sympathy for the drive-by download attacks, because "after all of the recent events and the incredibly long amount of time it took them to let us all know something happened."

"There should have been a complete, comprehensive, and exhaustive audit and analysis of every customer-facing asset and a new risk assessment done," Henderson said. "Based on the staggering amount of other issues found throughout their infrastructure all over the world, it's clear that wasn’t done or hasn't been completed yet."

 

Next Steps

Learn how enterprises can defend against malicious ads    

 

Find out the difference between drive-by login and drive-by download attacks

 

Get info on how the risk of DNS attacks goes beyond websites

Dig Deeper on Application and platform security