If you’re one of the 143 million people who were affected by the giant Equifax data breach (or one of the millions who weren’t but still had to check to see if you were), you already know that the data monger set up a special site—www.equifaxsecurity2017.com—for people to look up information about the breach, including whether their personal information was compromised.
Its choice of domain name for the special site was nothing short of baffling.
The company already owns a domain name, equifax.com
. It can add as many subdomains as it likes to that domain (a subdomain extends a domain with letters, numbers or hyphens followed by a dot – nakedsecurity.sophos.com
is a subdomain of sophos.com
, for example).
Using something.equifax.com
would have been a great idea. After all, nobody, no matter how much money they have, can buy a domain ending in .equifax.com
other than Equifax. It is the company’s exclusive preserve.
It’s also the domain you’d guess if you didn’t know the site’s address. Plus, it’s been around for a long time, which means it gets an uplift from Google. The search engine has been indexing the Equifax website for years and will trust it enough to give it preferential treatment in search results, relative to newer domains.
But Equifax didn’t put their special breach site on something.equifax.com
. Instead, they put it on www.equifaxsecurity2017.com
a domain that happens to contain the word Equifax and looks like the sort of scam domain they probably spend a great deal of time and money telling customers and employees to ignore.
The name looks like a million similar domains that anyone could buy, and by using it, Equifax gave up its tremendous, inbuilt advantage with Google and levelled the playing field for anyone who wanted to create a scam site.
Naked Security’s Mark Stockley knows, because he purchased two of them.
In the course of investigating the breach on the morning after it was disclosed, he bought two domains that are exactly the same as www.equifaxsecurity2017.com
but for a dash. He owns, and controls, these look-alike domains, all for the princely sum of £30 (USD$41)
Good thing Mark’s not a jerk. Or a scammer.
Neither, fortunately, is the guy who set up a misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s breach response page.
Full-stack developer Nick Sweeting told The Verge that he set up the site securityequifax2017.com
to point out the “huge mistake” Equifax made by using a domain that doesn’t have any trust attached to it, instead of hosting it on equifax.com.
See anything wrong with securityequifax2017.com
? It’s understandable if you don’t. It’s a simple switcheroo of the words “security” and “equifax”.
Understandable, but unfortunate, therefore that Equifax itself mixed them up and actually tweeted the wrong URL, which is, really, a typosquatter’s dream scenario.
The tweets have since been deleted, but here’s the reply Tweet from Dave Rand (@LorettoDave), who caught Equifax’s mistake on Tuesday:
You have tweeted the wrong URL (securityequifax2017 instead of equifaxsecurity2017). You should delete this tweet and correct your mistake.
— Dave Rand (@LorettoDave) September 20, 2017
The Verge has a screen capture of the original, typosquatter’s dream message from Equifax. It also poked around and found three more tweets, since deleted, that had sent potential victims to the same false address, dating back as far as 9 September—in other words, Equifax has been sending people to potential scam sites from Twitter since the breach was disclosed.
Sweeting told The Verge that no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer.”
In response to the tweets Mark Stockley opined “at this point it’s getting hard to think of anything more that Equifax could do to confuse its users, muddy the waters and make life easy for scammers”.
Sweeting and Stockley only purchased a few domain names because they wanted to make a point. There’s nothing to stop criminals slurping up hundreds or even thousands of plausible-looking domains and hosting whole batteries of sites designed to part unwitting users from their passwords, credit card numbers or other private information.
One can imagine that it’s been a mad house at Equifax since the communications department first got the unenviable job of telling people about the breach. Unfortunately, it’s all too easy to slip up when you’re typing in a link, even in normal, unstressful times.
An Equifax spokesperson says that all posts with the wrong links have since been taken down. The company’s apologized for the confusion.
For years, we’ve known, and warned, about the dangers of typosquatting—domains that take advantage of misspelled company names—and cybersquatting—domains that borrow names of companies, public figures or other terms that exploit public interest in searching for those names.
The dangers include falling for traps laid by pay-per-click schemes, coming across ads for scammy products, or even falling prey to crooks that use the domains for phishing or to disseminate malware.
For a quick overview of our typosquatting report, check out the following video.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
VirtualXistance
Ha… I noticed this one off domain name used and literally went to whois.com to validate if this was a Equifax site or a phishing site. I also looked at few different financial organization sites where they recommended going to the correct site. boy oh boy! and our information is out there in the hands of a company whom we have to trust but don’t want to?
Bryan
Agreed. First saw the link and basically wrote Lisa’s line:
“looks like the sort of scam domain they probably spend a great deal of time and money telling customers and employees to ignore.”
She’s still disregarding my requests for co-author acknowledgement though. :-/
Lisa Vaas
Truth be told, that’s Mark Stockley’s line. We’re both cut out of royalties on that one! :-)
Bryan
Well shucks; there goes my early retirement!
Lisa Vaas
I had to return the Audi.
Magyver
…*spills beer*
KeithF
These people (equifax) have shown they are utterly incompetent. I am greatly disturbed that they control resources and information that can (and has) ruined peoples lives over the years by their errors and data leakage. I sincerely hope the US government does more than slap their wrist.
Tom
What would be the correct solution? Would a CNAME entry in equifax’s DNS record would have fixed this? I think this is the PR company’s move here.
Mark Stockley
Equifax should have set up their breach notification on “my.equifax.com” or similar .equifax.com subdomain. They can’t stop people like me buying domains like equifaxsecurity-2017.com but they can a) give themselves a headstart in Google and b) delegitimise domains like mine because they don’t look anything like the real one.
Jim
Heck, they could even have used equifaxsecurity2017.equifax.com if they really wanted a long, convoluted name.
I froze my information a week or so ago, and I’m NEVER unfreezing it. These guys are monstrously incompetent, and should be out of business.
Bryan
I’m nearly certain it’s
PrettyPleaseKeepTrusting.equifax.com
Paul
And was one of these fake sites, that was being advertised, last week, by Sophos as a way of blocking the damage
Paul Ducklin
I’m not sure we were “advertising” it :-) But I get your point…
You’d have thought that after all the advice not to have a weirdlylongdomainwithnohistory, they could have taken the next step of moving the new “microsite” back under their main domain, rather than taking the next step of keeping on with the wacky domain but forgetting what it was!