After Equifax breach, company sent victims to wrong site for weeks

Postado Setembro 21, 2017

After the breach was revealed on September 7, the company - one of the nation's three biggest credit bureaus - set up the website equifaxsecurity2017.com for customers to check if they had been affected.

Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. Instead of offering help, the site mocks Equifax for "using a domain that's so easily impersonated by phishing sites".

The tweets were taken down, but some had remained posted for over 24 hours, as Twitter users noted. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax's response page. "I made the site because Equifax made a huge mistake by using a domain that doesn't have any trust attached to it [as opposed to hosting it on equifax.com]", Sweeting tells The Verge. "It makes it ridiculously easy for scammers to come in and build clones - they can buy up dozens of domains, and typo-squat to get people to type in their info".

But at least as early as September 9 - just two days after announcing the hacking attack - Equifax representatives on Twitter were directing consumers to Sweeting's spoof site rather than to the company's own page, according to the Verge.

Each of the tweets containing Sweeting's URL is signed by someone at Equifax named "Tim". The impact of the Equifax breach is potentially massive and millions of people are seeking help and support in the wake of the incident.

Luckily for customers, and the company itself, the fake website isn't actually a phishing attempt. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. It also shows a lack of a consistent response strategy. I don't necessarily blame the support team, as they're likely freelancers hired for this breach, but Equifax needs to get its response strategy together. Unfortunately that simple mistake could have put the consumer at even more risk by directing them to a site that has no affiliation with Equifax.

Update 2:02PM ET: Updated with three other tweets.