Equifax, Malware, and the UntrustworthySupply Chain

As if Equifax hasn’t lost enough trust from the first hack, last week it had to disclose that it suffered a second breach, which was called by most reporters a second hack. But apparently last week wasn’t a second hack at all, but a different problem. . Ars Technica wrote:

 A key part of Equifax’s website has been redirecting users to malware for an unknown period of time, a security researcher discovered this week. A video posted by independent security analyst Randy Abrams  showed an Equifax webpage redirecting to a fake Adobe Flash download prompt that installs adware. The infected Equifax page, which the company took offline after discovering the problem, is used to access and update one’s credit report, meaning that many people have likely visited it in the weeks since Equifax disclosed a data breach affecting more than 145 million Americans.

But the new incident was not a second hack – Equifax told MC that the malicious redirect came from a vendor’s faulty code. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” a spokeswoman said. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.” Equifax appears to use a disreputable third-party ad provider, Iron Source, which is known for facilitating “malvertising,” the process of implanting malware on victims’ machines through the ads they visit.

So a third party vendor did it? Iron Source, which has a reputation for allowing malvertising. Not according to a person from Malwarebytes, a service used to detect malware. This person said it’s incorrect to call this a hack or attribute it to ads. In fact, the third party script was a web analytics component, and not ad code. But the third-party script itself was leveraged to load a domain serving as “ad rotator.”

Apparently, that’s is an issue with 3rd party scripts and any site that was using that particular one was at risk.  The ad rotator delivered very low quality redirects, suggesting that these were not even targeted ads.

While malvertising remains quite common, compromised analytics tags are less so. What could the takeaways be from this incident?

Our biggest takeaway is that you have to know every single step in your supply chain, and every partners must be certified and trusted. There are far too many unknown intermediaries in digital transactions for us to feel comfortable about our visitors’ data, and we have to limit the number of those for safety’s sake.

That’s why we have a private platform where this cannot happen. We have weeded out low quality sites, we have only quality inventory, only high quality partners, and no one else enters the supply chain once we set up a buy. This must be the way the entire industry operates in the future. If we don’t let the bad apples in, they can’t corrupt our supply chain or compromise the data of any of our partners.