Another stumble for Equifax: Code on site links to malware
WASHINGTON — Equifax Inc. took part of its website offline Thursday after code on the site redirected users to a malicious web address urging them to download malware.
Also Thursday, a top Republican congressman introduced a bill that would stop credit-reporting companies such as Equifax from using Social Security numbers to verify Americans’ identities.
The moves come a month after Equifax revealed that a data breach exposed the Social Security numbers and birthdates of as many as 145.5 million Americans. That hack took place after Equifax failed for several months to fix a software flaw that federal officials had warned about in March.
Late Wednesday, independent security analyst Randy Abrams said in a blog post that while he was trying to download his credit report from the Equifax site, he clicked a link that kicked him to a third-party website with “one of the ubiquitous fake Flash Player Update screens.” His post was first reported by the technology news site Ars Technica.
Equifax said Thursday afternoon that the problem stemmed from code provided by a third party.
“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” the company said in a statement. “Since we learned of the issue, the vendor’s code was removed from the web page and we have taken the web page offline to conduct further analysis.”
Equifax emphasized that its “systems were not compromised” and said that despite early reports, the problem “did not affect our consumer online dispute portal.”
Its spokespeople did not answer questions about when the company learned of the problem or how many website visitors clicked the link.
Everyone uses thirdparty code, said Jeff Williams, chief technology officer and co-founder of Contrast Security. However, he said in a statement, doing so “creates an obligation to analyze for vulnerabilities continuously and respond to new vulnerabilities/attacks within hours.”
This wouldn’t be the first time that people trusting Equifax had been sent to a questionable third-party site.
After announcing the massive data breach last month, Equifax set up a website — equifaxsecurity 2017.com — to help people determine whether they had been affected.
But on multiple occasions, Equifax’s Twitter account instead advised people to go to a different site with a similar address. That site had been created by an engineer who wanted to show how easy it would be to set up a phishing site that mimicked Equifax’s.
Separately, Rep. Patrick McHenry, R-N.C., introduced legislation Thursday that would crack down on credit-reporting companies. It would require Equifax, Experian and TransUnion to phase out the use of Social Security numbers by 2020.
The legislation also would create a national framework for consumers to freeze access to their credit to prevent identity theft as well as mandating the federal government to create uniform cybersecurity standards for credit-reporting companies and conduct on-site examinations.
“The bill I’ve introduced today takes an important first step in providing meaningful reforms to help Americans who have been impacted by this breach,” McHenry said. “It is focused on prevention, protection and prohibition.”
The breach revealed last month, and Equifax’s bungling in the aftermath, led to bipartisan outrage. The company’s former CEO, Richard Smith — who stepped down after the breach was disclosed — was slammed by lawmakers in four congressional hearings last week.