Equifax has been directing victims to a fake phishing site for weeks
In failing to correctly patch a known vulnerability and exposing the personal data of potentially 143 million Americans to hackers, Equifax made a security blunder of epic proportions — however, it appears the company is just getting started.
Leaving its digital doors wide open to criminals apparently wasn't enough for the credit reporting agency, as it's now sending hack victims directly into the open arms of unknown internet pranksters.
Yes, Equifax is directing those concerned about the data breach and its repercussions to a fake website set up to troll the company itself. That's right, the official Equifax Twitter account is pointing people to what looks to be a fakesite (aka a phishing site).
SEE ALSO:Equifax screwed up yet again, and it's scrambling to fix this latest messFollowing a data breach of this size, it's not unusual to see websites pop up that mimic official help pages. Typically, the goal of these phishing sites is to trick worried consumers into handing over their personal information. In this case, Equifax created a very real site — https://www.equifaxsecurity2017.com — where people can enter their last name along with the last six digits of their social security number to see if they were affected by the hack.
Unsurprisingly, someone cloned that site and hosted that copy at a very similar URL: https://securityequifax2017.com. The two sites, one real and one fake, look the same to the casual observer. In fact, they are so easily confused that Equifax itself apparently can't tell the difference.
Come on, Tim.Credit: mashableIf you look closely at the above pictured Twitter exchange, you'll see that someone operating the Equifax account named Tim linked to the fake website. The timestamp on the tweet is from September 19, and the tweet was still up as of the morning of September 20 (it was deleted during the course of writing this story).
Also, this is not the only tweet that listed the incorrect website. It happened at least eight times.
Tweet may have been deleted
Thankfully, the maker of the spoofed site seems more interested in calling out Equifax for their incompetence than stealing the personal information of unsuspecting victims. Probably.
"Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites," reads the header of the fake site.
"Equifax should have hosted this on equifax.com with a reputable [EV] SSL Certificate. Instead they chose an easily impersonated domain and used a jelly-bean SSL cert that any script kiddie can impersonate in 20min," the fake site adds.
Clicking through the links prompts a person to enter their last name and last six of their SSN, much like on the real Equifax site, but upon hitting "continue" the cloned webpage gives you a warning. "you just got bamboozled," reads a popup window. "this isnt a secure site [sic]! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!"
The fake phishing site.Credit: mashableIt's not clear if the site captures the data entered by a tricked consumer, or if it discards it. There is no real contact information on the page, and many of the links take you to a YouTube video for Rick Astley's "Never Gonna Give You Up" — a classic internet prank known as "rickrolling." A WHOIS lookup of the domain shows it was created on September 8, but does not list the owner.
Security researcher Nick Sweeting, however, has taken credit for the site, and claims he is not stealing any of the entered data.
Tweet may have been deleted
Tweet may have been deleted
"[Equifax's] response to this incident leaves millions vulnerable to phishing attacks on copycat sites," reads the fake page. "This is why you don't put your security incident website on a domain that looks like a scam (with an Amazon SSL cert), no-one can tell the difference between the real thing an a phishing site."
That the aforementioned "no-one" includes whoever's running Equifax's Twitter account doesn't bode well for the company — or anyone unlucky enough to have their personal information collated in its massive and poorly secured database.
What does Equifax have to say about all this? Unfortunately, not much.
“All posts using the wrong link have been taken down," a spokesperson told Mashable via email. "To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion.”
No word yet on whether or not Tim will be forced to apologize to all of us directly.
Featured Video For You
This camera could keep you safe at your next protest
(责任编辑:关于我们)
- How to trademark your TikTok phrase and protect your brand
- The Future of Tech: The Desktop PC
- “笋货”上市采购旺!清远西牛麻竹笋迎秋季尝鲜热
- South Korean lawmakers brace for US election as Harris, Trump diverge on North Korea
- Courting Disaster
- 护航孩子成长 解决职工后顾之忧
- Sports minister says audits into football, badminton federations set to conclude in Sept.
- The Wonderful World of Christmas Trees
- I Deleted All My Social Accounts: Three Weeks Without Social Media
- Unionized hospital workers pull out from strike
- N. Korea test
- If aliens harnessed solar power, could we detect them? NASA investigated.
- 11 Places to See Tiny Trains
-
近日,我市气温持续居高不下。气象学上,气温在35℃及以上时可称为“高温天气”。如果连续三天最高气温都超过35℃时,即可称作“高温热浪”天气。高温天气下,运动员、户外工作者、老年人、婴幼儿等都是容易中暑 ...[详细]
-
Input devices like keyboards have a key role in the computing and gaming landscape, so the guts of t ...[详细]
-
South Korea beefs up drills amid escalating NK provocations
A Spike missile is launched during the South Korean Marine Corps' full-scale live-fire drills on the ...[详细] -
Yoon touts pension reform drive amid stagnant popularity rating
President Yoon Suk Yeol takes reporters' questions during a news conference after a state affai ...[详细] -
Apple Watch 10 rumors: Everything we know so far
Apple Watch Series 10, also called "Apple Watch 10" or "Apple Watch X" among tech enthusiasts, shoul ...[详细] -
US Open 2024 livestream: How to watch US Open tennis for free
TL;DR:Live stream the 2024 US Open for free on 9Now and TVNZ+. Access these free streaming platforms ...[详细] -
Input devices like keyboards have a key role in the computing and gaming landscape, so the guts of t ...[详细]
-
市民填写献血相关表格8月22日晚,雨城区正黄时代天街广场天桥旁停靠着一辆献血车,身穿红马甲的志愿者们正向路过的市民发放无偿献血宣传手册,不少市民停下脚步,参与无偿献血。这是雅安市中心血站开启夜间献血模 ...[详细]
-
Transitioning to 100% renewable energy globally would be cheaper and simpler using firebricks, a for ...[详细]
-
Input devices like keyboards have a key role in the computing and gaming landscape, so the guts of t ...[详细]
- Apple Watch 10 rumors: Everything we know so far
- A Global Tour of Bakeries With Fascinating Histories
- A Journey Into the Mind of Stephen King
- A Journey Into the Mind of Stephen King
- 古物:回望时间的印记
- Webb scientists haven't found a rocky world with air. But now they have a plan.
- Google is bringing AI summaries to ‘Files’ so you can find your docs quicker