Equifax’s response to its data breach has been a total shitshow, something the company seems determined to remind us of each and every day.
For nearly two weeks, the company’s official Twitter account has been directing users to a fake lookalike website, the sole purpose of which is to expose Equifax’s reckless response to the breach.
After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the “cybersecurity incident.”
But the decision to create “equifaxsecurity2017” in the first place was monumentally stupid. The URL is long and it doesn’t look very official — that means it’s going to be very easy to emulate. Fake versions of the site could be used to phish Equifax customers and steal their personal information, again. A much safer choice would have been to create a subdomain on the Equifax website (equifax.com) and direct users there.
To illustrate how idiotic Equifax’s decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words “security” and “equifax” around.) Sweeting’s website looks slightly different than the official Equifax website, as you can see below, but only because he isn’t actually trying to dupe anyone:
Fake Equifax breach-response site created by Nick Sweeting.
Sweeting’s intentions clearly aren’t malicious. If anything, he’s trying to demonstrate why Equifax needs to shut down its website, or at least transfer it elsewhere, so it isn’t further exposing consumers to risk.
As if to demonstrate Sweeting’s point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting’s fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th:
Equifax directing users to a fake phishing website.
Each of the tweets containing Sweeting’s URL is signed by someone at Equifax named “Tim.” The latest tweet was sent out September 19th. (Equifax deleted this tweet Wednesday morning, but at the time of writing the other seven tweets were still live.)
Props to white-hat @thesquashSH for registering that look-alike Equifax domain before some lurker switched it to a phishing portal. ????
— SoS (@SwiftOnSecurity) September 20, 2017
“It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” Sweeting told Gizmodo. “I knew it would only cost me $US10 ($12) to set up a site that would get people to notice, so I just did it.”
The real Equifax site is dangerous, he said, because of how easy it is to impersonate. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.”