Skip to content
Naked Security Naked Security

Equifax has been sending customers to a fake phishing site for weeks

A series of blunders to add to the Equifax breach

If you’re one of the 143 million people who were affected by the giant Equifax data breach (or one of the millions who weren’t but still had to check to see if you were), you already know that the data monger set up a special site—www.equifaxsecurity2017.com—for people to look up information about the breach, including whether their personal information was compromised.

Its choice of domain name for the special site was nothing short of baffling.

The company already owns a domain name, equifax.com. It can add as many subdomains as it likes to that domain (a subdomain extends a domain with letters, numbers or hyphens followed by a dot – nakedsecurity.sophos.com is a subdomain of sophos.com, for example).

Using something.equifax.com would have been a great idea. After all, nobody, no matter how much money they have, can buy a domain ending in .equifax.com other than Equifax. It is the company’s exclusive preserve.

It’s also the domain you’d guess if you didn’t know the site’s address. Plus, it’s been around for a long time, which means it gets an uplift from Google. The search engine has been indexing the Equifax website for years and will trust it enough to give it preferential treatment in search results, relative to newer domains.

But Equifax didn’t put their special breach site on something.equifax.com. Instead, they put it on www.equifaxsecurity2017.com a domain that happens to contain the word Equifax and looks like the sort of scam domain they probably spend a great deal of time and money telling customers and employees to ignore.

The name looks like a million similar domains that anyone could buy, and by using it, Equifax gave up its tremendous, inbuilt advantage with Google and levelled the playing field for anyone who wanted to create a scam site.

Naked Security’s Mark Stockley knows, because he purchased two of them.

In the course of investigating the breach on the morning after it was disclosed, he bought two domains that are exactly the same as www.equifaxsecurity2017.com but for a dash. He owns, and controls, these look-alike domains, all for the princely sum of £30 (USD$41)

Domain purchase checkout

Good thing Mark’s not a jerk. Or a scammer.

Neither, fortunately, is the guy who set up a misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s breach response page.

Full-stack developer Nick Sweeting told The Verge that he set up the site securityequifax2017.com to point out the “huge mistake” Equifax made by using a domain that doesn’t have any trust attached to it, instead of hosting it on equifax.com.

See anything wrong with securityequifax2017.com? It’s understandable if you don’t. It’s a simple switcheroo of the words “security” and “equifax”.

Understandable, but unfortunate, therefore that Equifax itself mixed them up and actually tweeted the wrong URL, which is, really, a typosquatter’s dream scenario.

The tweets have since been deleted, but here’s the reply Tweet from Dave Rand (@LorettoDave), who caught Equifax’s mistake on Tuesday:

The Verge has a screen capture of the original, typosquatter’s dream message from Equifax. It also poked around and found three more tweets, since deleted, that had sent potential victims to the same false address, dating back as far as 9 September—in other words, Equifax has been sending people to potential scam sites from Twitter since the breach was disclosed.

Sweeting told The Verge that no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer.”

In response to the tweets Mark Stockley opined “at this point it’s getting hard to think of anything more that Equifax could do to confuse its users, muddy the waters and make life easy for scammers”.

Sweeting and Stockley only purchased a few domain names because they wanted to make a point. There’s nothing to stop criminals slurping up hundreds or even thousands of plausible-looking domains and hosting whole batteries of sites designed to part unwitting users from their passwords, credit card numbers or other private information.

One can imagine that it’s been a mad house at Equifax since the communications department first got the unenviable job of telling people about the breach. Unfortunately, it’s all too easy to slip up when you’re typing in a link, even in normal, unstressful times.

An Equifax spokesperson says that all posts with the wrong links have since been taken down. The company’s apologized for the confusion.

For years, we’ve known, and warned, about the dangers of typosquatting—domains that take advantage of misspelled company names—and cybersquatting—domains that borrow names of companies, public figures or other terms that exploit public interest in searching for those names.

The dangers include falling for traps laid by pay-per-click schemes, coming across ads for scammy products, or even falling prey to crooks that use the domains for phishing or to disseminate malware.

For a quick overview of our typosquatting report, check out the following video.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)


13 Comments

Ha… I noticed this one off domain name used and literally went to whois.com to validate if this was a Equifax site or a phishing site. I also looked at few different financial organization sites where they recommended going to the correct site. boy oh boy! and our information is out there in the hands of a company whom we have to trust but don’t want to?

Agreed. First saw the link and basically wrote Lisa’s line:

“looks like the sort of scam domain they probably spend a great deal of time and money telling customers and employees to ignore.”

She’s still disregarding my requests for co-author acknowledgement though. :-/

These people (equifax) have shown they are utterly incompetent. I am greatly disturbed that they control resources and information that can (and has) ruined peoples lives over the years by their errors and data leakage. I sincerely hope the US government does more than slap their wrist.

What would be the correct solution? Would a CNAME entry in equifax’s DNS record would have fixed this? I think this is the PR company’s move here.

Equifax should have set up their breach notification on “my.equifax.com” or similar .equifax.com subdomain. They can’t stop people like me buying domains like equifaxsecurity-2017.com but they can a) give themselves a headstart in Google and b) delegitimise domains like mine because they don’t look anything like the real one.

Heck, they could even have used equifaxsecurity2017.equifax.com if they really wanted a long, convoluted name.
I froze my information a week or so ago, and I’m NEVER unfreezing it. These guys are monstrously incompetent, and should be out of business.

And was one of these fake sites, that was being advertised, last week, by Sophos as a way of blocking the damage

I’m not sure we were “advertising” it :-) But I get your point…

You’d have thought that after all the advice not to have a weirdly­longdomain­withnohistory, they could have taken the next step of moving the new “microsite” back under their main domain, rather than taking the next step of keeping on with the wacky domain but forgetting what it was!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?