Security Experts:

Connect with us

Hi, what are you looking for?



Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Script

Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.

Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.

Independent security analyst Randy Abrams noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to a website set up to serve adware disguised as a Flash Player installer.

While initially it appeared that Equifax’s website had been hacked, the company’s investigation revealed that the malicious redirects occurred due to a third-party vendor’s script.

“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” Equifax stated.

Equifax website sends users to fake Flash installer

The redirection chain, often seen in malvertising attacks, results in users being taken to a scammy or malicious website, depending on their geographical location and the type of device they use to access the affected webpage.

Researchers at Malwarebytes have analyzed the incident and determined that the redirection occurs due to a web analytics script associated with Fireclick, a now-defunct platform formerly operated by Digital River. A search for the script involved in the attack (fireclick.js) revealed that it had also been used on the Central America website of TransUnion, whose customers were also redirected to shady sites.

Both Equifax and TransUnion have removed the problematic script from their websites. Equifax took the affected service offline and had not restored it at the time of writing.

“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson explained.

In addition to adware, Malwarebytes said the redirection chain also took users to fake surveys and even the RIG exploit kit, which is typically leveraged to deliver ransomware and other malware. The security firm found the same Fireclick script on several other websites as well.

“Many websites include javascript from third parties for a variety of purposes, including analytics, ads, styling, and many other webpage features. Equifax included this Fireclick library on their own website, but it pulls in some javascript from another site,, that appears to have been hacked. When the Equifax site loads Fireclick, which loads code, the victim’s browser is redirected to malware,” explained Jeff Williams, CTO and co-founder of Contrast Security.

“Anyone using the Fireclick library may have been affected, and the attackers may not even know that they compromised Equifax. A more targeted attack could have used the code to access victim’s data from the Equifax page, submit false data on behalf of the victim, or deface the Equifax page. The attack could have been made invisible to the victim and could have been much more difficult to detect,” Williams added.

Some Hacker News users noticed that the domain was owned by Digital River until November 2016, when the registration information changed to show that the new owner was an individual from Thailand. 

“In July 2016, Digital River fully decommissioned the Fireclick platform, which rendered the application inoperable. As part of our decommissioning Fireclick, we no longer had a business use for the domain and released it back to the domain name marketplace in October 2016, which is a common practice in the industry,” Digital River told SecurityWeekAt that point, the domain name was available for anyone to purchase. As such, Digital River’s connection to Fireclick and this domain name ended before this Equifax event.”

*Updated with clarifications and statement from Digital River

Related: Equifax Warned About Vulnerability, Didn’t Patch It, Says Ex-CEO

Related: Equifax Sent Breach Victims to Fake Website

Related: Equifax Cybersecurity Failings Revealed Following Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.