Today, Equifax closed up building that exact situation on Twitter. In a tweet to a potential victim, the securities bureau linked to securityequifax2017.com, rather of equifaxsecurity2017.com. It was an easy error to make, but the end sent the user to a place with no connection to Equifax itself. Equifax removed the tweet shortly after this report was published, but it remained alive for nearly 24 hours.
Further analysis revealed three more tweets that had given potential victims to the same false address, beginning back as far as September 9th. These tweets have also since been removed.
Luckily, the alternative URL Equifax sent the victim to isn’t wicked. Full-stack developer Nick Sweeting set up the misspelled phishing site in the system to expose vulnerabilities that lived in Equifax’s response page. “I made the site because Equifax made a huge error by using a domain that doesn’t hold any trust attached to it as objected to hosting it on equifax.com,” Sweeting tells News. “It makes it extremely easy for scammers to grow in and build clones they can buy up dozens of domains, and typo-squat to get somebody to type in their info.” Sweeting says no data will leave this page and that he “eliminated any risk of leaking data via network applications by redirecting them back to the user’s own computer,” so probably data entered on this site is relatively safe. Still, Equifax’s team linked out to this page. That isn’t encouraging.
Prior to Equifax consumer service sharing the imposter site, Sweeting says he emailed the support team and tweeted to Equifax that he found a potential vulnerability
Equifax’s entire answer to the breach has been a mess. The organization website set off alarms for lawyers who suffered it might waive victims’ right to sue the corporation, and the response phone line agents actually had no data and just directed concerned customers back to the website.
Although the misspelled link possible wasn’t intentional on Equifax’s part, it shows just how easy it is for attackers to trick consumers even the organization own support team was fooled. It also shows a lack of a logical response strategy. I don’t certainly blame the support team, as they’re likely freelancers hired for this crime, but Equifax needs to get its answer strategy together.
Take your time to comment on this article.