Equifax Must Choose Vendors Carefully
by Roy de Souza
As if Equifax hadn’t lost enough trust from the first hack, last week it had to disclose that it suffered another breach, which was called by most reporters a “second hack.” That shows how little most people know about digital advertising and tracking metrics.
Apparently last week wasn’t a second hack at all, but a different problem. Ars Technica wrote:
A key part of Equifax’s website has been redirecting users to malware for an unknown period of time, a security researcher discovered this week. A video posted by independent security analyst Randy Abrams showed an Equifax webpage redirecting to a fake Adobe Flash download prompt that installs adware. The infected Equifax page, which the company took offline after discovering the problem, is used to access and update one’s credit report, meaning that many people have likely visited it in the weeks since Equifax disclosed a data breach affecting more than 145 million Americans.
But the new incident was not a second hack — Equifax told [reporters]that the malicious redirect came from a vendor’s faulty code. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” a spokeswoman said. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.” Equifax appears to use a disreputable third-party ad provider, Iron Source, which is known for facilitating “malvertising,” the process of implanting malware on victims’ machines through the ads they visit.
So a third party vendor did it? Iron Source, which has a reputation for allowing malvertising. Not according to a person from Malwarebytes, a service used to detect malware. This person said it’s incorrect to call this a hack or attribute it to ads. In fact, the third party script was a web analytics component, and not ad code. But the third-party script itself was leveraged to load a domain serving as “ad rotator.”
Apparently, that’s is an issue with 3rd party scripts and any site that was using that particular one was at risk. The ad rotator delivered very low quality redirects, suggesting that these were not even targeted ads. Later, further information revealed that this was a deprecated tag — a case of carelessness among vendors operating in a complex system.
While malvertising remains quite common, compromised analytics tags are less so. What could the takeaways be from this incident?
Our biggest takeaway is that you have to know every single step in your supply chain, and every partner must be certified and trusted. There are far too many unknown intermediaries in digital transactions for us to feel comfortable about our visitors’ data, and we have to limit the number of those for safety’s sake.
That’s why we built a private platform where this cannot happen. We have weeded out low quality sites, we have only quality inventory, only high quality partners, and no one else enters the supply chain once we set up a buy. This must be the way the entire industry operates in the future. If we don’t let the bad apples in, they can’t corrupt our supply chain or compromise the data of any of our partners.