Equifax support team links hack victims to phishing site
Inside Subprime: September 21, 2017
By Caroline Thompson
After poor website security allowed hackers to gain access to the sensitive information of more than 143 million Americans, you might think Equifax would be hyper-focused on protecting the shred of consumer trust they have left. However, it seems the credit reporting bureau just can’t seem to get things right.
In the wake of the hack, Equifax created a separate domain, equifaxsecurity2017.com, for people to check whether or not they were affected by the hack and get advice on how to keep their information safe. While well-intended, the move was puzzling to cyber security experts, who couldn’t understand why Equifax would create a new site instead of just putting the information on equifax.com.
“You would think that would be the obvious place to start,” Rahul Telang, a professor of information systems at Carnegie Mellon University, told The New York Times. “Create a subdomain so that if somebody tries to fake it, it becomes immediately obvious.”
Telang went on to note that the name “equifaxsecurity2017.com” doesn’t look like an official Equifax property, and because of this, it’s very easy for scammers to clone the website and direct consumers to another, unofficial site, in an attempt to steal consumer information. This practice, commonly called “phishing” is an easy way for cyber criminals to gain access to sensitive information like credit card and social security numbers. And it’s also an easy way for clever, security-minded software engineers like Nick Sweeting to drive home the point about just how easy this would be. Unsurprisingly, the credit bureau played right into his hands.
Sweeting created a clone of Equifax’s security site, called securityequifax2017.com, and made it look identical to the real site. The only difference between the two was Sweeting’s site featured a prominent headline in large text, telling people what he was up to: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”
Guess who fell for it? Equifax. Their official Twitter accounted directed consumers to the fake page not once, not twice, but THREE separate times over the course of more than a week:
Once alerted to their error, Equifax released a short statement and deleted all Tweets to the phishing link:
“We apologize for the confusion. Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”
Sweating created the page for the sole purpose of drawing attention the Equifax’s lax security policies in the wake of the hack.
“Their site is dangerously easy to impersonate,” he told The New York Times. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there. It’s in everyone’s interest to get Equifax to change this site to a reputable domain. I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”
Check out these related articles on the Equifax hack and how to protect yourself against identity theft:
- The Equifax Hack: What You Should Do Now
- 3 Identity Theft Warning Signs
- Understanding Your Credit Report (eBook)
- Massive Equifax hack leaves millions of Americans at risk for identity theft