An NPR member station
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Equifax Help Site Manipulated By Hackers To Push Adware

DAVID GREENE, HOST:

The embattled company Equifax is having even more trouble with hackers. Now the company has had to take down one of its web pages after it was reported to be prompting people to download malicious software. NPR's Chris Arnold has more.

CHRIS ARNOLD, BYLINE: Equifax already admitted that because of sloppy security it allowed the largest theft of Social Security numbers in history. And now its website just got manipulated by hackers again. An independent cybersecurity analyst named Randy Abrams discovered the problem by accident.

RANDY ABRAMS: When I went to the Equifax page, I was looking for my credit report following a logical sequence of clicks. And it was like boom. Another window opens with what I know was malicious.

ARNOLD: A bogus alert popped up asking him to click the download an Adobe Flash software update. But he says it was actually malware that takes control of your web browser. Abrams says his first reaction was...

ABRAMS: You got to be kidding me. After what Equifax went through, to have this happen is just unbelievable. And I had to replicate it to convince myself it really happened. But I did.

ARNOLD: Abrams made a video of it happening and posted that on the Internet. He says the software appears to be designed to hijack your browser to show you unwanted ads. But he says this type of malware can also redirect you to sites to download more malicious code - for example, software that steals credit card numbers when you type them.

ABRAMS: It can point you to a drive-by download, which is going to install, a keystroke logger. Worst case would be ransomware for most people. So the security threat it presents to your computer for future downloads is horrible.

CHRIS HOOFNAGLE: Browser malware is a profound invasion of privacy.

ARNOLD: Chris Hoofnagle is a cyber security and privacy expert at UC Berkeley Law School.

HOOFNAGLE: It can lead to the computer user being spied on all the time or their camera turned on or their microphone turned on without their permission.

ARNOLD: Equifax claims the malicious code on its website came from another company that it hires to do analytics. So technically, that may be the company that got hacked. Still, the end result was that visitors to Equifax's website were prompted to download malware. Hoofnagle says that doesn't look very good for Equifax.

HOOFNAGLE: Shoes keep on dropping.

ARNOLD: And he says that could keep lawmakers focused on passing new regulations.

HOOFNAGLE: Equifax itself must be upset about this. But its competitors, too, must be very nervous because they could be rounded up in the same regulatory swoop.

ARNOLD: Equifax says it removed the malicious code, took the web page offline and is continuing to investigate what happened. Chris Arnold, NPR News.

(SOUNDBITE OF TESK'S "GREEN STAMPS") Transcript provided by NPR, Copyright NPR.

NPR correspondent Chris Arnold is based in Boston. His reports are heard regularly on NPR's award-winning newsmagazines Morning Edition, All Things Considered, and Weekend Edition. He joined NPR in 1996 and was based in San Francisco before moving to Boston in 2001.