Karl Marx as soon as famously remarked that historical past was identified to talk twice, “first as tragedy, the second time as farce.” It’s one in all his most well-known quotations, and it’s ridiculously relevant to the most recent occasions within the blazing dumpster hearth that’s Equifax. Earlier as we speak, we reported that Equifax acknowledged shedding 11 million US driver’s licenses and leaking knowledge on some 15 million residents within the UK. Now we’ve hit one other “milestone”–a US safety researcher reviews being served malware a number of occasions from the Equifax web site.
To summarize: The corporate that brought on the more serious knowledge breach in US (and presumably international) historical past, whose blatant safety malpractice led to the firing of its CEO, CIO, and CSO, has now been serving malware, courtesy of what seems to be a compromised promoting companion. A video Ars Technica posted beneath reveals the redirect assault in motion.
The report stated safety researcher Randy Abrams visited the positioning, hoping to appropriate some false data in his credit score report. As soon as there, he was hit by a number of redirects, adopted by a Flash participant set up. This type of assault is the type of lowest-common-denominator that focuses on non-technical customers. However given what number of non-technical customers had been impacted by Equifax’s horrible life decisions, it’s not loopy to assume a few of them will wind up fooled.
The assault in query is named Adware.Eorezo, and it’s listed as attacking Web Explorer (the assaults proven within the video above occur on Edge). However whereas Adware.Eorezo has been out within the wild since 2012, it’s clearly been upgraded for this specific push. Abrams reviews that he was served the malware repeatedly when he reloaded the web site, and that only some of the web virus scanners may detect he was being handed malware in any respect.
If the malware payload was being hosted by a third-party web site and injected into Equifax, then technically it’s not Equifax doing the distributing. However there’s an issue with that line of argument. Equifax will not be answerable for the malware’s distribution, however it’s nonetheless answerable for the expertise folks have by itself web site. This very a lot contains not counting on third occasion analytics or promoting networks, if that’s the one approach to be 100 p.c sure that the expertise folks have on-site is definitely protected. The rest, and also you’re working the now-demonstrated danger individuals who present up wanting to guard or examine their credit score reviews will even have their knowledge stolen once more. Cellular customers additionally seem to have been affected.
Equifax despatched an replace to Ars, writing:
We’re conscious of the scenario recognized on the equifax.com web site within the credit score report help hyperlink. Our IT and Safety groups are wanting into this matter, and out of an abundance of warning have quickly taken this web page offline. When it turns into out there or we now have extra data to share, we’ll.
Tragedy and farce certainly.