Equifax customer service guided breach victims to fake site

21 Sep 201710 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Links to the fake site were live for weeks on the Equifax Twitter page. Image: dolphfyn/Shutterstock

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Security experts find that Equifax accidentally directed customers to an impostor website via Twitter.

It has been a less-than-stellar few days for US credit rating firm Equifax, following the disclosure of a data breach affecting more than 143m people, and the latest issue won’t change the narrative.

Originally reported in The New York Times, staffers mistakenly tweeted the wrong web address for a special site Equifax created for customers with queries regarding the breach.

The company set up Equifaxsecurity2017.com for possible victims to verify whether or not they had been affected.

A major oversight by Equifax

According to security researchers, the first mistake here was building a separate website to the main Equifax hub – it means customers would have to take the company’s word that they were entering their confidential data in the correct place.

The Equifax Twitter account sent out a tweet on 19 September directing customers to Securityequifax2017.com, an almost identical fake version of the site, created by full-stack developer Nick Sweeting to really ram home the vulnerabilities that existed in the response page.

It then emerged that the false link had been tweeted out by the company’s social team several times in a period of weeks. Although it’s not really a malicious site, it shows just how easy it would be for hackers to create copies and steal personal data.

Sweeting told The Verge: “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on Equifax.com]. It makes it ridiculously easy for scammers to come in and build clones; they can buy up dozens of domains, and typo-squat to get people to type in their info.”

Equifax said that all tweets with the wrong leak have been deleted. However, with investigations into both the breach and allegedly dodgy stock sales by executives, the controversy shows no sign of slowing down.

Links to the fake site were live for weeks on the Equifax Twitter page. Image: dolphfyn/Shutterstock

Ellen Tannam is a writer covering all manner of business and tech subjects

editorial@siliconrepublic.com