Equifax has taken down a customer support page on its websites amidst concerns that a second compromise has taken place, but insists this is not the case.
A website page affected by a third-party vendor has been removed out of "an abundance of caution," but according to the credit rating agency, the Equifax website is still operational and has not been the subject of a second cyberattack.
Equifax is still dealing with the aftermath of a vast data breach, which led to the theft of personal, sensitive information belonging to roughly 145.5 million US citizens, as well as at least 693,000 UK residents and Canadian individuals.
Earlier this week, Ars Technica reported that security researcher Randy Abrams visited the website on Wednesday to check his credit report, only to find, on multiple visits, fake Flash download requests which installed the crapware Adware.Eorezo.
In a video posted to YouTube, the researcher documents malvertising attempting to lure users to download the MediaDownloaderIron.exe payload, a highly obfuscated adware bundle.
It appears that on analysis, the malicious download was potentially the result of a third-party advertising network which allowed malicious ads to slip through the net -- which means that the payload was not truly hosted on the Equifax domain, but wormed its way in through an external partner.
"We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline," Equifax told the publication. "When it becomes available or we have more information to share, we will."
The credit rating agency later told the BBC that the company was able to "confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal."
Malvertising is a constant problem for ad networks and the web domains which rely on them to generate revenue to keep websites operational.
On occasion, threat actors will be able to bid for and secure an advertising spot on a legitimate domain, but will embed malicious links or code in the advert -- and together with the trust issued by the legitimate domain, visitors may be more likely to believe the ad is trustworthy and therefore click through or download malicious software.
If malvertising is at fault, there is little that Equifax could have done, and it was up to the ad network to vet their customers. As a result, the website is simply added to the list of legitimate victims of this practice, which also includes the Daily Mail, Yatra, and the Huffington Post.
Earlier this month, former Equifax CEO Richard Smith, who resigned following the security debacle, admitted that responsibility "starts at the top" for the situation and that he was ultimately at fault for a data breach which should "not have happened on his watch."