Equifax has taken down a webpage that offered credit report assistance, a spokesperson told Gizmodo. The move follows a report that the page was directing visitors to install fake Adobe Flash updates containing adware.
“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” the spokesperson said. “Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.”
The assistance page, which could be used to obtain a copy of one’s credit report, was replaced with a message claiming that the site was under maintenance after security researcher Randy Abrams discovered the problem.
“We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon,” the page informs users—without any mention of the fact that earlier visitors to the page may have been tricked into installing adware.
Abrams shared his findings with Ars Technica and demonstrated them in a video. When Abrams clicked the link to obtain a copy of his credit report, he was instead directed to download a fake version of Flash that contained a file that security firms like Symantec and and Webroot flag as adware.
It’s possible that the adware is being served not by Equifax’s website itself but rather by an ad platform or analytics provider used by the company. Either way, it’s just more bad news for Equifax, which announced a massive hack in September that resulted in the loss of personal information for 143 million people. This month, Equifax said it had discovered another 2.5 million people were affected by the breach and raised that total to 145.5 million.
If the huge data loss wasn’t enough, Equifax was warned about the vulnerability that led to the hack but failed to patch it, and has struggled to notify affected consumers.
Update 4:22 p.m.: Equifax confirmed that, as security researchers had speculated, the adware was served courtesy of a third-party vendor. An Equifax spokesperson said definitively that the company had not suffered another breach.
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” the spokesperson said. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”