U.S. consumer credit reporting agency Equifax Inc. is back in the news, once again for all the wrong reasons.

The company was discovered to be serving malware to its customers in the form of spyware disguised as an Adobe Flash plugin, although it’s not entirely clear whether the company itself was responsible for the security faux pas or its site was hacked.

The plugin was offered to users on Equifax’s consumer information services portal, with visitors prompted to install the malware in a popup. According to reports, the phony Flash Player installer was detected by several antivirus tools as “Adware.Eorezo,” a form of malware that hijacks Windows installations to show ads in Internet Explorer. In addition, the malware may also install other adware, toolbars and browser redirects and hijack the home page of an affected browser. In short, you really don’t want this infecting your computer.

Although it’s not clear where the blame lies, Richard Henderson, global security strategist at security firm Absolute Software Corp. told SiliconANGLE that it may not be Equifax’s failing this time.

“It’s hard to feel sorry for Equifax after all of the troubles and missteps they’ve taken, but in this case it doesn’t appear that this incident is entirely their fault,” Henderson said. “It sure looks like a third party that provides content or analytics for them was breached and is responsible for the malicious ads that have been spotted.”

Henderson said this kind of thing happens more than most people realize. “It really should be seen as a learning opportunity for any organization that has decided to embed active content from third parties into their websites,” he said. “Yes, third-party analytics, tracking and advertising services provide an incredible amount of value and data to your company, but when they get breached and start serving malicious content, it’s your organization that is left holding the bag.”

Explaining that these practices are gaining more attention, Henderson claimed that “there has been significant pushback this year on sites that include all of this additional ‘bloat’ in their sites, and how much of an impact it adds to visitors’ experience and load times. When you add the threat of compromised third parties serving malicious content, it’s clear that new risk models and analysis need to be created.”

Most of all, he said, companies need to ask themselves: “Do you really need to embed all of this potentially hazardous active content on your site?” The answer is no, he added: “The risks are too great and oftentimes unquantifiable.”

Image: Pixabay