Equifax took a customer help page offline Thursday amid concerns that the company may have been hacked yet again.
Independent Security Analyst Randy Abrams discovered evidence of a second breach, just a month after the company said the information on 145.5 million U.S. consumers had been exposed when attackers exploited a vulnerability in Apache Struts.
“After verifying that Experian did in fact falsify the data (it was due to incompetence and apathy) I decided to see if the misinformation had propagated to Equifax,” Abrams wrote in a blog post. “As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens.”
Noting that Equifax isn't likely to help consumers upgrade Flash, Abrams said his discovery shouldn't come as a surprise to anyone.
"We are aware of the situation identified on the equifax.com website in the credit report assistance link," Reuters cited Equifax spokesman Wyatt Jefferies as saying. "Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline."
Chris Olson, CEO of The Media Trust referred to the whole situation as "ridiculous" and called for companies to improve their security postures. "This is yet another misstep by a major U.S. enterprise in handling its website breach,” said Olson. “Equifax, and for that matter any enterprise, should first identify and manage all third parties contributing code to their websites and get their own house in order!”
Joseph Carson, chief security scientist at Thycotic, said it was "common to see many ripples and after-effects" following a large breach. “However, Equifax appears to be stuck on a huge wave,” he said.
Noting that hackers typically exploit fear, Carson said that after Equifax's CEO “blamed a single employee in front of congress for causing the major data breach at Equifax, cybercriminals are exploiting employees with fear of being the next victim.”
As a result, Equifax could experience additional breaches in the future “due to human failure to detect cyber threats,” he said. “The problem with blaming the Equifax data breach on a single employee is that we have to remember that employees are, in most cases, victims themselves.”
The latest potential breach demonstrates that the “current flow of threats is now exploiting that the original data breach resulted from an unpatched web server and now employees are getting prompted that their own systems are missing a major patch for Adobe Flash,” said Carson. “Because they fear hackers gaining access, they are going to click on the update. Unfortunately, it's a fake update trying to infect their systems. This opens the door again into Equifax for hackers to continue disclosing sensitive data.”
The newest incident "happened because Equifax trusted a different piece of third-party code (Fireclick Web Analytics javascript library) and didn't put in the work to make sure it stayed secure,” said Jeff Williams, CTO and co-founder of Contrast Security. “Basically, a very similar problem [to the first breach] with two quite different pieces of code.”
The Fireclick library was included on the Equifax site, “but it pulls in some javascript from another site, netflame.cc, that appears to have been hacked,” said Williams. “When the Equifax site loads Fireclick, which loads netflame.cc code, the victim's browser is redirected to malware.”
Anyone that uses the Fireclick library could feel the impact of the second breach, but “the attackers may not even know that they compromised Equifax,” he said. “A more targeted attack could have used the netflame.cc code to access victim's data from the Equifax page, submit false data on behalf of the victim, or deface the Equifax page.” If the attack had been hidden from the victim, he said, it “could have been much more difficult to detect.”
It's time for organizations to stop viewing third-party code as “'free functionality that saves the cost of having to write, test, and deploy that code themselves,” Williams said. ”We need to accept the fact that using third-party code creates an obligation to analyze for vulnerabilities continuously and respond to new vulnerabilities/attacks within hours.”
Olson agreed. "The malicious domain tricking users into installing “attackware” has been executing in the digital ecosystem and started exhibiting malicious behavior in September, he said. "This attack once again proves that secure coding practices and AppSec solutions are insufficient and only the tip of the iceberg for website security in today's digital-first world."Stressing that “cybersecurity is no longer just a technology challenge” but rather “a challenge for everybody who uses and interacts with technology daily,” Carson said, “The protection and security of both your work and personal life are no longer separated and they have been intertwined with evolving trends of social networks, the internet of things and unlimited connectivity.”
As a result “cybersecurity is no longer just the responsibility of the company IT department but it is now the responsibility of every employee not just to protect your work assets but your personal data as well,” he said, and puts people on the frontline of cybersecurity attacks and threats that “start from our personal social footprint including your personal data and devices potentially even corrupting your family photos or stealing your own money all to use you as a mule to gain further access.”
He called for “a balance between technology and people to increase our cybersecurity awareness to help us protect and secure both our personal assets and our company assets.”
Matt Schulz, CreditCards.com's senior industry analyst, said the latest potential Equifax breach “is just Reason No. 10,000 why consumers should assume their personal information is already out there and act accordingly.”
Calling it “a scary thing to wrap your brain around,” Schultz said, “the truth is that you're better off assuming the worst” then taking action to protect sensitive information.
"This is a forever thing. Once information is out there, it's out there for good,” he said. “And bad guys can be very patient, so don't assume that you're safe just because your information hasn't yet been used fraudulently. Build these credit checks into your regular financial routine."