The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company’s security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.
In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.
It turns out Equifax has linked to the same fake domain since at least September 9, as evidenced by tweets here, here, and here. Unlike Tuesday’s tweet, the September 9 tweets remained live when this post was going live, but were taken down shortly after that.
Identity thieves and hackers often rely on this kind of confusion to trick people into divulging passwords or installing malware. By using domains that are similar to the domains of a bank or Web service and copying the overall look and feel of the site, attackers can often fool people into thinking they’re visiting a site they know and trust, rather than a malicious one set up for purposes of fraud.
In the hours following the Equifax breach disclosure two weeks ago, Ars criticized the company-designated site for a host of reasons. The reasons included: (1) a stock installation of WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number; (2) a TLS certificate that didn’t perform proper revocation checks; and (3) a domain name that looked like precisely the kind of thing a criminal operation might use to steal people’s details.
In an e-mailed statement, Equifax officials said: “All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion.”
It would have been much better to host the notification pages on the equifax.com domain, which people instinctively know is the official domain for the credit reporting service. The decision to use equifaxsecurity2017.com instead only desensitizes people to the large number of look-alike domains that attackers use.
Equifax representative Tim appears to be among those whose guard has been lowered.
Post updated to add details about wrong link being issued earlier, statement from Equifax.