Equifax has taken down a webpage that offered credit report assistance after third-party code on it directed visitors to download and install adware disguised as a fake Adobe Flash Player update. The incident comes just a month after the embattled credit firm disclosed that it suffered a massive breach in July that compromised valuable personal and financial data of 145.5 million Americans.
Security researcher Randy Abrams first discovered the latest security issue when browsing a page on Equifax's consumer information services portal when he was redirected to a malicious URL.
"As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL," Abrams wrote in a blog post. "The URL brought up one of the ubiquitous fake Flash Player Update screens."
The fake Flash update apparently tricked users into downloading an adware identified by Symantec as Adware.Eorenzo, which floods Internet Explorer with ads.
Equifax temporarily took down the webpage out of "an abundance of caution" while it investigated the issue. It later reported that the problem stemmed from code provided by a third-party vendor.
"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content," Equifax said in a statement. "Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."
The company emphasised that its systems "were not compromised" and that the reported issue "did not affect our consumer online dispute portal." It did not name the third party vendor or specify how long the code was live on its website. It is still unclear how many people clicked on the malicious URL or how attackers were able to take over the page.
This is not the first time Equifax inadvertently led its users to a questionable third-party site.
Equifax set up a separate website to help people determine if they were affected by the breach. However, its official Twitter account accidentally directed people to a fake phishing website with a similar URL.
Equifax has come under intense scrutiny since it revealed that hackers breached its systems earlier this year to access millions of customers' sensitive information including names, Social Security numbers, dates of birth and other personal data. The firm has been hit with multiple lawsuits and is facing probes by multiple states, Congress, the FBI, the Federal Trade Commission and, reportedly, the Justice Department.
The company said hackers exploited a months-old unpatched Apache Struts server vulnerability — a patch for which was made available in March, over a month before the cyberattack took place.
The company has also been scrutinised over its delayed disclosure, security practices, its handling of the aftermath and three senior executives who sold stock after the hack was discovered but before it was publicly revealed.
Last week, former Equifax CEO Richard Smith was grilled by multiple congressional committees over the circumstances surrounding the breach and the company's response to the attack.