For weeks, Equifax customer service has been directing victims to a fake phishing site

0
1009

CNN

Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.

Further research revealed three more tweets that had sent potential victims to the same false address, dating back as far as September 9th.

Luckily, the alternate URL Equifax sent the victim to isn’t malicious. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,” so hopefully data entered on his site is relatively safe. Still, Equifax’s team linked out to his page. That isn’t reassuring.

Prior to Equifax customer service sharing the imposter site, Sweeting says he emailed the support team and tweeted to Equifax that he spotted a potential vulnerability.

Equifax’s entire response to the breach has been a mess. The company’s website set off alarms for lawyers who worried it might waive victims’ right to sue the company, and the response phone line representatives actually had no information and just directed concerned consumers back to the website.

Although the misspelled link likely wasn’t intentional on Equifax’s part, it demonstrates just how easy it is for attackers to trick consumers — even the company’s own support team was fooled. It also shows a lack of a consistent response strategy. I don’t necessarily blame the support team, as they’re likely freelancers hired for this breach, but Equifax needs to get its response strategy together.

If you’re signing up for Equifax’s identity monitoring, requesting a credit freeze, or inputting your personal information anywhere online, double check that you’ve navigated to the right webpage.