October 13, 2017

BUT OF COURSE: Equifax says code on its website ‘was serving malicious content.’

Late Wednesday night, independent security analyst Randy Abrams said in a blog post that while he was trying to download his credit report from the Equifax site, he clicked a link that kicked him to a third-party website with “one of the ubiquitous fake Flash Player Update screens.” His post was first reported by technology news site Ars Technica.

Equifax said Thursday afternoon that the problem stemmed from code provided by a third party.

“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” the company said in a statement. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”

Equifax emphasized that its “systems were not compromised” and said that despite early reports, the problem “did not affect our consumer online dispute portal.”

Its spokespeople did not answer questions about when the company learned of the problem or how many website visitors clicked the link.

Nobody should be using Flash for anything, because it is essentially malware masquerading as a multimedia platform. Even Adobe has belatedly decided to end-of-life it. If Flash is on your system, here’s a link to Adobe’s removal tool.