Equifax Help Site Manipulated By Hackers To Push Adware

Equifax is taking a customer help Web page offline as the company investigates reports that the site directed people to download fraudulent Adobe Flash updates.

DAVID GREENE, HOST:

The embattled company Equifax is having even more trouble with hackers. Now the company has had to take down one of its web pages after it was reported to be prompting people to download malicious software. NPR's Chris Arnold has more.

CHRIS ARNOLD, BYLINE: Equifax already admitted that because of sloppy security it allowed the largest theft of Social Security numbers in history. And now its website just got manipulated by hackers again. An independent cybersecurity analyst named Randy Abrams discovered the problem by accident.

RANDY ABRAMS: When I went to the Equifax page, I was looking for my credit report following a logical sequence of clicks. And it was like boom. Another window opens with what I know was malicious.

ARNOLD: A bogus alert popped up asking him to click the download an Adobe Flash software update. But he says it was actually malware that takes control of your web browser. Abrams says his first reaction was...

ABRAMS: You got to be kidding me. After what Equifax went through, to have this happen is just unbelievable. And I had to replicate it to convince myself it really happened. But I did.

ARNOLD: Abrams made a video of it happening and posted that on the Internet. He says the software appears to be designed to hijack your browser to show you unwanted ads. But he says this type of malware can also redirect you to sites to download more malicious code - for example, software that steals credit card numbers when you type them.

ABRAMS: It can point you to a drive-by download, which is going to install, a keystroke logger. Worst case would be ransomware for most people. So the security threat it presents to your computer for future downloads is horrible.

CHRIS HOOFNAGLE: Browser malware is a profound invasion of privacy.

ARNOLD: Chris Hoofnagle is a cyber security and privacy expert at UC Berkeley Law School.

HOOFNAGLE: It can lead to the computer user being spied on all the time or their camera turned on or their microphone turned on without their permission.

ARNOLD: Equifax claims the malicious code on its website came from another company that it hires to do analytics. So technically, that may be the company that got hacked. Still, the end result was that visitors to Equifax's website were prompted to download malware. Hoofnagle says that doesn't look very good for Equifax.

HOOFNAGLE: Shoes keep on dropping.

ARNOLD: And he says that could keep lawmakers focused on passing new regulations.

HOOFNAGLE: Equifax itself must be upset about this. But its competitors, too, must be very nervous because they could be rounded up in the same regulatory swoop.

ARNOLD: Equifax says it removed the malicious code, took the web page offline and is continuing to investigate what happened. Chris Arnold, NPR News.

(SOUNDBITE OF TESK'S "GREEN STAMPS")

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.