Equifax has been sending customers to a fake phishing site for weeks

If you’re one of the 143 million people who were affected by the giant Equifax data breach (or one of the millions who weren’t but still had to check to see if you were), you already know that the data monger set up a special site—www.equifaxsecurity2017.com—for people to look up information about the breach, including whether their personal information was compromised.

Its choice of domain name for the special site was nothing short of baffling.

The company already owns a domain name, equifax.com. It can add as many subdomains as it likes to that domain (a subdomain extends a domain with letters, numbers or hyphens followed by a dot – nakedsecurity.sophos.com is a subdomain of sophos.com, for example).

Using something.equifax.com would have been a great idea. After all, nobody, no matter how much money they have, can buy a domain ending in .equifax.com other than Equifax. It is the company’s exclusive preserve.

It’s also the domain you’d guess if you didn’t know the site’s address. Plus, it’s been around for a long time, which means it gets an uplift from Google. The search engine has been indexing the Equifax website for years and will trust it enough to give it preferential treatment in search results, relative to newer domains.

But Equifax didn’t put their special breach site on something.equifax.com. Instead, they put it on www.equifaxsecurity2017.com a domain that happens to contain the word Equifax and looks like the sort of scam domain they probably spend a great deal of time and money telling customers and employees to ignore.

The name looks like a million similar domains that anyone could buy, and by using it, Equifax gave up its tremendous, inbuilt advantage with Google and levelled the playing field for anyone who wanted to create a scam site.

Naked Security’s Mark Stockley knows, because he purchased two of them.

In the course of investigating the breach on the morning after it was disclosed, he bought two domains that are exactly the same as www.equifaxsecurity2017.com but for a dash. He owns, and controls, these look-alike domains, all for the princely sum of £30 (USD$41)

Good thing Mark’s not a jerk. Or a scammer.

Neither, fortunately, is the guy who set up a misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s breach response page.

Full-stack developer Nick Sweeting told The Verge that he set up the site securityequifax2017.com to point out the “huge mistake” Equifax made by using a domain that doesn’t have any trust attached to it, instead of hosting it on equifax.com.

See anything wrong with securityequifax2017.com? It’s understandable if you don’t. It’s a simple switcheroo of the words “security” and “equifax”.

Understandable, but unfortunate, therefore that Equifax itself mixed them up and actually tweeted the wrong URL, which is, really, a typosquatter’s dream scenario.

The tweets have since been deleted, but here’s the reply Tweet from Dave Rand (@LorettoDave), who caught Equifax’s mistake on Tuesday:

You have tweeted the wrong URL (securityequifax2017 instead of equifaxsecurity2017). You should delete this tweet and correct your mistake.

— Dave Rand (@LorettoDave) September 20, 2017

The Verge has a screen capture of the original, typosquatter’s dream message from Equifax. It also poked around and found three more tweets, since deleted, that had sent potential victims to the same false address, dating back as far as 9 September—in other words, Equifax has been sending people to potential scam sites from Twitter since the breach was disclosed.

Sweeting told The Verge that no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer.”

In response to the tweets Mark Stockley opined “at this point it’s getting hard to think of anything more that Equifax could do to confuse its users, muddy the waters and make life easy for scammers”.

Sweeting and Stockley only purchased a few domain names because they wanted to make a point. There’s nothing to stop criminals slurping up hundreds or even thousands of plausible-looking domains and hosting whole batteries of sites designed to part unwitting users from their passwords, credit card numbers or other private information.

One can imagine that it’s been a mad house at Equifax since the communications department first got the unenviable job of telling people about the breach. Unfortunately, it’s all too easy to slip up when you’re typing in a link, even in normal, unstressful times.

An Equifax spokesperson says that all posts with the wrong links have since been taken down. The company’s apologized for the confusion.

For years, we’ve known, and warned, about the dangers of typosquatting—domains that take advantage of misspelled company names—and cybersquatting—domains that borrow names of companies, public figures or other terms that exploit public interest in searching for those names.

The dangers include falling for traps laid by pay-per-click schemes, coming across ads for scammy products, or even falling prey to crooks that use the domains for phishing or to disseminate malware.

For a quick overview of our typosquatting report, check out the following video.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)