Equifax caught in an eternal loop of hacks

Under cyber criminals’ assault

Even if you occasionally read IT news, there is a small chance that you might not have heard about a major hack involving US credit reporting agency Equifax. It managed an astonishing amount of data: personal information of more than 145 million American citizens. To make matters worse, the data breach also affected 100 000 British citizens, whose data Equifax possesses as well.

To make matters worse, the name of the company got world’s attention when a security specialist pointed about a fatal vulnerability in Equifax web site, https://www.equifaxsecurity2017.com. He created a phishing site with a misspelled URL name.[1]

However, this was not a fatal blow yet. Recently, security experts detected adware on the very website of Equifax. If it doesn’t seem like things can get worse, actually, they can. IT experts suspect that cyber villains got a hold of data much earlier than was previously thought. Whose fault is it? Is this the end of Equifax?

Stepping into the same river thrice

While the saying says that you cannot step into the same river twice, Equifax denies it by proving that you can get the same bait not only twice but thrice. The very breach[2] came into public daylight in September, though the company, later on, admitted that the series of infiltrations occurred between May and July 2017 already.[3] In overall, felons obtained not only names, home addresses, social security information, but driving license credentials and email addresses as well.

In response to the hacks, Equifax hired a security firm called Mandiant[4]. The agency was convinced that it had fixed the vulnerabilities. Little did they know how wrong they were. On the other hand, further failures to prevent cyber harassment by hackers spark suspicions whether such mistake was indeed “accidental.”

Next round: setting up Equifax Phishing site

Equifax attempt to redeem their fault turned out perilous. They set the earlier-mentioned website to help users find information about their possibly leaked data. However, since the website functions independently (it would have been wiser to launch a subdomain of the official website), perpetrators could easily swap it with a similarly-sounding fraudulent domain.

That is what IT expert Nick Sweeting did. He created a fake site called securityequifax2017.com. What is more, he also foisted the link in Equifax official tweets. Surprisingly, the company did not notice this trick for several weeks until users started pointing the scam webpage. A great number of unsuspecting users took the bait thinking that was https://www.equifaxsecurity2017.com.

Serving adware on the main website

While Equifax still tries to cope with the after-effects of the breach, malware developers seem merciless. A cybersecurity expert Dan Goodin noticed that while surfing the main page of the website, it directs to a fraudulent page which promoted a fake Adobe Flash Player[5]. Downloading it would also infect a target computer with Eorezo adware. Luckily, such felony was removed much sooner that in the case of the phishing site.

Equifax reluctance to notify the community about the breach attack spark doubts about their cybersecurity measures. Is it going to repeat the scenario of MeDoc company responsible for the outbreak of WannaCry?