Equifax's Website Redirected People to Malware Thanks to a Compromised, Years-Old Plugin
Malwarebytes Corp. researchers investigated the matter and discovered that Digital River, the company which made Fireclick, discontinued the service in mid-2016 and subsequently released the Netflame.cc domain where it was hosted. That domain was subsequently acquired by scammers and used to host "fraudulent online surveys,
According to the paper, the likeliest explanation is Central Source LLC, a joint venture between Equifax and TransUnion to run annualcreditreport.com which had a Fireclick contract which expired in May 2014.
Picking up expired or abandoned domains is a common tactic to lure unsuspecting web users into clicking on sketchy sites or to hijack obsolete code running on older websites. Per Ars Technica , the compromised plugin in question allowed the unknown third party to redirect visitors to Equifax's website to numerous separate domains serving bogus Flash downloads. The fake download was identified by Symantec as Adware.Eorezo , a program which loads ads on users' computers, and is only listed on the Symantec, Panda and Webroot malware databases.
After news its website was hijacked spread, the IRS suspended a contract with Equifax to have the company verify taxpayers' identities after pressure grew from the Senate Banking Committee and the public.