Equifax’s beleaguered website—or rather, Equifax’s beleaguered customers, which is to say all of us—just can’t catch a break. First, a vulnerability in credit agency’s web application software allowed hackers to breach into the system in May and potentially abscond with sensitive data on 145.5 million customers. Equifax revealed that hack in September. Then, on Wednesday, security researcher Randy Abrams discovered that the company’s website had again been compromised, this time with malware attempting to trick customers seeking credit report assistance to download a fake Adobe Flash update.
Abrams found that the website was directing him to a suspicious Flash Player installation page when he tried to obtain his credit report. He shared screenshots and a video of the cyber scam with Ars Technica:
Clicking on the “install” button for the Adobe update would actually infect users’ computers with Adware.Eorezo, a program that opens advertising pages in internet browsers. Equifax sent Ars Technica a statement on the matter on Thursday:
We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.
If you visit the page in question now, you’ll be greeted by this apologetic error message:
However, some have been suggesting that it might not be the Equifax website that was delivering the malware, but rather analytics provider or ad platform that the company employs. Whatever the case, it seems that Equifax’s web presence has become the agency’s perpetual Achilles heel.