Equifax website showed you ads full of malware, expert finds

As if suffering one of the worst hacks in history wasn't enough, Equifax has been attacked yet again.

Randy Abrams, an independent cybersecurity analyst, said Thursday that the company's website was serving up malicious software to visitors, spewing what's known as adware.

Abrams recently found that the Equifax website directed him to download what looked like a harmless Flash update but was actually a malicious piece of software known as Adware.Eorezo. Here's what adware does: It loads itself onto your computer and shows you unwanted ads when you're online.

To serve up the adware to visitors, the hackers appear to have redirected Abrams (and other visitors who corroborated his experience) from Equifax's site to shady web pages that host the malicious software. Visitors would have to click on the download for the adware to infect their computers.

Abrams doesn't think Equifax's website itself was hacked. Rather, it was swept up in a much larger hacking campaign. "Equifax would be a shotgun victim," he said. Jerome Segura, a researcher at security firm Malwarebytes who specializes in a common and stealthy hacking technique called "malvertising", said the same kind of attack happens every day on the internet, often on major websites. In fact, his analysis of the attack that targeted visitors to the Equifax website found that the TransUnion website was affected, too. 

An Equifax representative said in a statement that the problem was coming from a third-party company that analyzes data on the Equifax website. "That vendor's code running on an Equifax website was serving malicious content," the representative said. "Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."

TransUnion confirmed its website in Central America had redirected visitors to malicious software downloads. "This issue has been fixed and we are scanning our other websites," the company said in a statement. "TransUnion has not identified any unauthorized access to its systems as a result of the issue."

The fact that Equifax itself wasn't hacked again is good news for a company that earlier this year got hit by a massive data breach, which compromised the Social Security numbers and other personal information of about 145.5 million Americans. Instead, its website was caught up in malvertising.

With malvertising, hackers take advantage of weaknesses in the world of online advertising. Legitimate, trusted websites serve up ads to visitors all the time. But they get those ads from brokers, who themselves get the ads from other parties. It's a complex web that makes it difficult to stop bad actors from posing as legitimate advertisers.

Instead of ads, malvertisers trick websites into serving up prompts to download malicious software. It can look like a normal alert from your computer to update your Flash software (itself a common source of vulnerabilities in your computer, which Adobe is retiring in 2020) or other routine computer updates.

"Typically it's not the host website that's to blame," Abrams said. "It's going to be a third party that's pushing ads."

Abrams said he hopes the public focus on Equifax will teach more people about the dangers of malvertising. "On any small or large website in the world, this is what it looks like in progress," Abrams said. "Stop when you see this."

First published Oct. 12, 9:13 a.m. PT.
Update, at 11:33 a.m.: Adds new material, including information from cybersecurity analyst Randy Abrams.

Update, at 1:36 p.m.: Adds updated statement from Equifax.

Update, at 4:41 p.m.: Adds information from researcher who says TransUnion website was affected, too.

Update, at 10:30 p.m.: Adds a statement from TransUnion.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Batteries Not Included: The CNET team reminds us why tech is cool.