One month after news came out about a massive breach at Equifax, the credit bureau is still struggling with the fallout. The latest blow arrived yesterday when an independent security researcher reported discovering that links on the Equifax Web site were attempting to redirect him to a malicious URL.
In a blog post yesterday, analyst Randy Abrams said that he visited the Equifax site to check and see whether false information from another credit bureau had made its way into his credit report on Equifax. When he tried to access his personal information, he said he was redirected to a site with a fake Flash Player update screen. In a tweet yesterday, Abrams said it appeared that the issue might indicate Equifax' Web site had been breached again.
Equifax revealed in early September that its systems had been compromised sometime between May and July, causing sensitive personal data for around 143 million Americans, as well as a number of Canadian and British citizens, to be exposed. Early this month, the company increased its estimate of the number of U.S. victims by 2.5 million. The U.K.'s National Cyber Security Centre reported yesterday that nearly 700,000 Britons might have been affected by the breach.
Flash Update Link a Red Flag
Abrams noted on his blog that he "just sort of tripped over" the latest problem at Equifax' Web site while trying to view his credit information. The appearance of a Flash update site was an immediate red flag, according to Abrams.
"Seriously folks, Equifax has enough on their plate trying to update Apache," he said. "They are not going to help you update Flash. I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines 'deplaning' a passenger . . . It hurts."
The fake Flash download links appeared during at least four separate visits Abrams made to the Equifax site, according to a report today in Ars Technica. An analysis by the German IT firm Payload Security gave the malicious file that attempted to load a threat score of 96 out of a possible 100.
'Gets Scarier the More I Look'
Early last week, Equifax said the cybersecurity company Mandiant had completed a forensic investigation of the breach, although the credit bureau's own internal investigation remains ongoing. The company added it's working on its own and with outside advisors to "implement and accelerate long-term security improvements."
In the wake of last month's report, Equifax' chief information officer and chief security officer both announced immediate plans to retire. The company is also offering to help people affected by the breach with credit freezes and credit monitoring.
Equifax continues to come under fire from many directions, not only for the initial breach but for its subsequent handling of the incident. After yesterday's update by the National Cyber Security Centre, U.K.-based security writer Graham Cluley called the company's response to date "shambolic."
"Equifax said that it had not yet started notifying the affected UK consumers because it did not think it was 'appropriate' as it was waiting until 'the full forensics investigation was completed,'" Cluley wrote yesterday on his blog. "Given the mess Equifax has made in its attempts to respond to this breach, you would think the credit bureau would be itching to repair its reputation in the eyes of consumers everywhere. Honestly, I'm not sure that reasoning does the trick."
Meanwhile, U.S.-based security writer Brian Krebs has pointed out that the Equifax breach could expose not only people's names, Social Security numbers, and birth dates, but also details about their salary and employment histories. Krebs also criticized the Web site that Equifax created to keep people informed about the issue.
"I've been spending quite a bit of time looking at Equifax’s various Web properties over the past few weeks and I have to say it gets scarier the more I look," he said.