Every time we think Equifax can’t get any more incompetent than compromising the personal information for half the country’s adult population, it proves us wrong. In today’s installment of Equifax idiocy, it appears that the credit bureau’s website was recently hacked to serve up malware to some visitors.
Security analyst Randy Abrams discovered the flaw Wednesday evening, Ars Technica reports.
When trying to reach certain Equifax pages, Abrams said, his browser was redirected to a pop-up claiming to be a needed update for Adobe Flash.
While Flash is a garbage heap that does indeed always seem to need another security update, the pop-up dialog doesn’t actually lead to one. Instead, it installs unwanted adware that serves up (potentially scammy or malicious) advertisements on your computer.
Abrams sent Ars a video showing the Equifax page redirecting his browser several times until loading the fake Flash prompt:
He tells Ars that he was surprised to see the redirect pop up not once, not twice, but on several repeat visits. Ars also notes that very few antivirus suites correctly detect the file as unwanted adware, so if you are unfortunate enough to end up clicking to install, your security software may not even give you a warning.
That’s the bad news. Here’s the good: As of Thursday morning, Abrams tells Ars he can no longer reproduce the steps, so it’s possible that Equifax actually figured out what was wrong and fixed it.