Noticed this on Monday. After registering for fraud alert, they send an email that has link to http://www.equifax.com/fcra for free credit report. This was getting hijacked. But not if you used https://
Why would they send you to a http at all if they already have https. This just seems like complete incompetence. It’s not like they have an excuse like their ad networks don’t work with https.
I know of companies with typos in their links that they email. These typos lead to scam sites. I've contacted them and they haven't yet fixed it. There needs to be a serious re-evaluation of the costs associated with failing such basic security measures like using https and just making sure you send people the correct link. Right now it isn't even a slap on the wrist.
But there are protections against this, such as HSTS. I would expect someone with as much sensitive information as Equifax to have HSTS + HPKP pinned into the major browsers. Their server should never even receive an HTTP request. It's just unrivaled incompetence.
Normally, people in marketing don’t write URLs by hand. They copy them and check that they look nice or have a generator make them for them.
So, how did they copy an http url instead of https because they website should have redirected them to https before processing the request (and I just hope that their internal network isn’t compromised).
Equifax. That url is Equifax controlled. It just mentions fireclick in a comment. Click the url for the js and you'll see that it does a document.write to inject a script that's an akamai cached copy from an obscure .cc domain hosted file...this one: https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/se...
Update: The whois listing for the cc domain looks pretty odd. It's a person in Thailand, using a personal gmail address. Which would be odd contact details for a California company's domain. Possible of course, but unlikely.
Yeah, looks like a compromised ad/stats provider. That would also explain the intermittent nature of the bad download. I'd hope that the article gets updated with the facts...other companies might be vulnerable to this as well.
Looks like they just took the page down as I was poking around trying to figure out where the redirect(s) came from.
Edit: Of course the error message is truthful:
>The Equifax.com website and Equifax Member Center are experiencing unusually high volumes due to responses to the recently announced Cybersecurity Incident. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.