UPDATED 22:52 EST / OCTOBER 12 2017

INFRA

Latest Equifax faux pas: serving customers malware-infected fake Flash plugins

U.S. consumer credit reporting agency Equifax Inc. is back in the news, once again for all the wrong reasons.

The company was discovered to be serving malware to its customers in the form of spyware disguised as an Adobe Flash plugin, although it’s not entirely clear whether the company itself was responsible for the security faux pas or its site was hacked.

The plugin was offered to users on Equifax’s consumer information services portal, with visitors prompted to install the malware in a popup. According to reports, the phony Flash Player installer was detected by several antivirus tools as “Adware.Eorezo,” a form of malware that hijacks Windows installations to show ads in Internet Explorer. In addition, the malware may also install other adware, toolbars and browser redirects and hijack the home page of an affected browser. In short, you really don’t want this infecting your computer.

Although it’s not clear where the blame lies, Richard Henderson, global security strategist at security firm Absolute Software Corp. told SiliconANGLE that it may not be Equifax’s failing this time.

“It’s hard to feel sorry for Equifax after all of the troubles and missteps they’ve taken, but in this case it doesn’t appear that this incident is entirely their fault,” Henderson said. “It sure looks like a third party that provides content or analytics for them was breached and is responsible for the malicious ads that have been spotted.”

Henderson said this kind of thing happens more than most people realize. “It really should be seen as a learning opportunity for any organization that has decided to embed active content from third parties into their websites,” he said. “Yes, third-party analytics, tracking and advertising services provide an incredible amount of value and data to your company, but when they get breached and start serving malicious content, it’s your organization that is left holding the bag.”

Explaining that these practices are gaining more attention, Henderson claimed that “there has been significant pushback this year on sites that include all of this additional ‘bloat’ in their sites, and how much of an impact it adds to visitors’ experience and load times. When you add the threat of compromised third parties serving malicious content, it’s clear that new risk models and analysis need to be created.”

Most of all, he said, companies need to ask themselves: “Do you really need to embed all of this potentially hazardous active content on your site?” The answer is no, he added: “The risks are too great and oftentimes unquantifiable.”

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU