BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Equifax Was Linking Potential Breach Victims On Twitter To A Scam Site

Following
This article is more than 6 years old.

In the aftermath of eruptive news that Equifax seemingly had exposed the intimate data of 143 million Americans, it seems the credit-monitoring firm has also been lax on how it links customers with support.

Earlier this month, Equifax discovered that hackers had gained access to its info on more than 40% of Americans over the summer, so they set up a website where potential victims could check to see if they had been affected: www.equifaxsecurity2017.com. As The Verge pointed out, the page was not part of the greater equifax.com, and therefore posed a risk for users by requiring this voyage out to an external site.

In response, programmer Nick Sweeting decided to highlight the vulnerabilities of the company's new site by exploiting the very same in a seemingly benign if striking way. He set up shop on  securityequifax2017.com, a typo on the original site that consumers could easily reach by mistake, and created a faux version of Equifax's site for potential breach victims (but which didn't save any private info they might have entered). A headline on the site also read, “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”

Sweeting explained in an email to the New York Times that using the Linux command "wget" makes it simple for anyone to download the contents of an entire website, “including all images, HTML, CSS, etc,” and impersonate that site.

See also: Chatbot Can Help You Sue Equifax For Up To $25K, Fight Parking Tickets

“It was super easy to just suck their whole site down with wget and throw it on a $5 server,” Sweeting wrote. “It currently has the same type of SSL certificate as the real version, so from a trust perspective, there’s no way for users to authenticate the real one vs. my server.”

And in the past few weeks, Equifax itself was apparently taken in by the simulated website, or at least its typo URL. As the Verge reported, Equifax tweeted the link for Sweeting's securityequifax2017.com four times to potential breach victims who asked the company for assistance on Twitter, reaching as far back at September 9.

According to the Verge, Equifax deleted the tweets shortly after the website published its article about the mix-up yesterday.

By Wednesday evening, the fake Equifax site had been blacklisted by Firefox, Safari, and Chrome browsers, and Sweeting had taken it down. According to the Times, it had already received close to 200,000 hits.

Follow me on Twitter or LinkedInCheck out my website