It was just lucky that Randy Abrams, a security researcher happened to visit the Equifax website yesterday. According to ArsTechnica, who first reported the hacking incident, Abrams “noticed that some pages redirect to a site offering a fake, malware-bearing Flash update.”
While hacking some pages on a site is a common practice used by some hackers, Abrams, who says he knows a thing or two about “drive-by campaigns” was astounded to discover the same download on several visits to the site over a period of several hours.
Usually, in order to fly under the radar, cyber-attackers often serve up the download to a select number of visitors to a particular site, and usually only one time. Abrams was surprised to see the download repeated. He was able to get a higher-resolution image of the page and a video.
The malware trail missed by most antivirus providers
The file was delivered after Abrams clicked through MediaDownloaderIron.exe. This VirusTotal entry shows only Panda, Symantec, and Webroot detecting the file as adware, out of the approximately 65 antivirus providers. If users weren’t using the three providers that detected the adware, their machines were probably infected, writes PC Magazine.
Specifically, if anyone installed the fake Flask update, their PC was infected with adware (specifically Adware.Eorezo). A separate malware analysis from Packet Security shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering.
As for how the page ended up being displayed, it’s possible Equifax may have been running ads through a third-party network, writes Ars Technica, and they are responsible for the redirects. But regardless of who, how or why this happened, the Equifax website has clearly been compromised.
Equifax failed to respond to an email from Ars Technica that included a link to the video and sought comment. As for the malware? Either Equifax noticed it, or the hackers just decided to take it down for a day or two.