Equifax has been left red-faced again after its website began displaying malicious content stemming from third party vendor code.
Reports started to emerge over the past day or so that users clicking through on the main Equifax.com site were being presented with a scam Adobe Flash update page with a centerbluray.info URL.
The domain is detected only by Google and Malwarebytes as malicious.
Clicking on said update would infect the user’s computer with adware, currently only detected by three out of 65 AV firms on VirusTotal: Panda, Symantec and Webroot.
A statement Equifax sent to researcher Kevin Beaumont revealed the problem was down to a third-party partner:
“Despite early media reports Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.
"The issue involves a third party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”
Although this incident turned out to be a supply chain hack on a partner, it threatens to further damage the reputation of the under-fire credit reporting agency, which was breached earlier this year and the highly sensitive records of 145.5 million Americans and 700,000 Brits compromised.
The incident should drive home the importance to organizations of due diligence on partners and regular scanning/testing of all web properties.
In related news, a US Republican congressman has introduced new legislation which would require credit agencies to stop using Social Security numbers by 2020.
White House cybersecurity coordinator, Rob Joyce, is known to favor replacing the identifiers altogether, perhaps with a modern cryptographic version.