Equifax Accidentally Directs 200,000 Customers To Fake Phishing Website

Tyler Durden's picture

And the hits just keep coming for Equifax, the once-trusted credit-monitoring firm that has been embroiled in one of the biggest corporate public-relations disasters in recent memory since disclosing that hackers had penetrated its cyber security defenses and absconded with sensitive personal and financial data belonging to 143 million Americans. Because of the types of data that were stolen, including drivers' license, social security and credit-card numbers, experts have described the hack as possibly the most damaging corporate hack yet.

As if this weren’t enough to permanently sully the firm’s reputation (amid cries of “you had one job!”) – the staggering irony of a credit monitoring firm inadvertently divulging the sensitive information that it was supposed to safeguard hasn’t been lost on consumers) a series of subsequent disclosures have portrayed the firm’s executives as bungling, at best, and nefarious, at worst.

In the nearly two weeks since the story broke…

  • It was revealed that three of the firm’s executives, including its CFO, cashed out of stocks and options worth some $2 million in the month between when the company first learned about the hack, and when it was disclosed to the public. A federal prosecutor in Atlanta has opened a criminal investigation into Equifax that will focus both on whether the firm was criminally negligent in failing to patch a hole in its cybersecurity systems, as well as whether the suspect stock sales constitute securities fraud.
  • The company’s head of cyber security was revealed to have no background in computer science or security – a fact the company tried to hastily cover up by scrubbing her social-media profiles. Susan Mauldin, Equifax’s chief information security officer, has a bachelor’s degree in music composition and a master’s in fine arts from the University of Georgia.
  • Several Congressional committees have asked the company to turn over information relating to the hack as multiple investigations appear to be getting under way. The attorneys general of a handful of states, including Massachusetts and Rhode Island, have joined a probe into the company’s handling of the breach.
  • The company has been hit with dozens of lawsuits from consumers alleging fraud, abuse and negligence.
  • Equifax CEO Rick Smith has been called to testify before a special House panel early next month.

When Equifax first set up a website to allow consumers to check whether their information was compromised, it carried a waiver stating that by using the service consumers would forfeit the right to sue Equifax. The internet quickly exploded in outrage, and the company quickly clarified that the waiver didn’t apply to this hacking incident, which…sure. Now, The Verge, The New York Times and a handful of other media outlets are reporting that Equifax accidentally tweeted the link to an imposter website set up by a white-hat hacker hoping to expose gllaring errors that the firm had made in setting up its verification website. This happened not once, but three times. And in at least one instance, the tweet with the phony link was left up for a whole day.

Here’s The Verge:

“Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.”

Luckily for consumers, the fake site wasn’t malicious. Instead, it was set up by developer Nick Sweeting to try and expose the glaring security vulnerabilities that the company had embedded in its recovery website, which it set up as a separate domain, rather than making it a subdomain of Equifax’s main website.

“Luckily, the alternate URL Equifax sent the victim to isn’t malicious. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax's response page. “I made the site because Equifax made a huge mistake by using a domain that doesn't have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”

Sweeting says no data will leave his page and that he "removed any risk of leaking data via network requests by redirecting them back to the user's own computer," so hopefully data entered on his site is relatively safe. Still, Equifax's team linked out to his page. That isn't reassuring.”

Prior to Equifax customer service sharing the imposter site, Sweeting says he emailed the company’s support team and tweeted to Equifax that he spotted a potential vulnerability. By the time the site was taken down, Sweeting says it had received more than 200,000 hits. In the spirit of transparency, Sweeting included a disclaimer on his site warning consumers that it was a fake – and blasting Equifax for its sloppy security practices.

According to the NYT, phishers cannot create a page on the equifax.com domain, so if the website were hosted there instead, it would be easy for users to tell that the page was legitimate.

“Fortunately for the people who clicked, Mr. Sweeting’s website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: “To enroll in complimentary identity theft protection and credit file monitoring, click here.” But a headline in large text differed: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”

The legitimate Equifax domain was securityequifax2017.com. Sweeting’s was equifaxsecurity2017.com. And as one cybersecurity expert told the NYT, even the legitimate website looks fake because it’s not a subdomain of the larger Equifax site.

“You would think that would be the obvious place to start,” said Rahul Telang, a professor of information systems at Carnegie Mellon University. “Create a subdomain so that if somebody tries to fake it, it becomes immediately obvious.”

The company’s actions, Telang told the NYT, suggest that it had never anticipated or planned for a breach.

This has become clear in the last few weeks. Now, the only thing left to be decided is whether the fact that the company was almost comically unprepared for a hack rises to the level of criminal negligence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Gaius Frakkin' Baltar's picture

It sounds like those outsourcing and quota hires are really paying off.

Sanity Bear's picture

Is the username Nostradamus taken? I might want to switch.

http://www.zerohedge.com/news/2017-09-08/equifax-hit-70-billion-lawsuit-...

Sanity Bear Sep 8, 2017 1:22 PM

Wait, you guys aren't seriously entering your SS#s into some random website to "check" if they've been exposed, have you?

DWD-MOVIE's picture

I'm making over $14k a month working part time. I kept hearing other people tell me how much money they can make online so I decided to look into it. Well, it was all true and has totally changed my life. This is what I do...  http://disq.us/url?url=http%3A%2F%2Fwww.Jobzon3.com%3Ab8eR_DQLwGRPVGtFvv...

dizzyfingers's picture

I just tried to use the FTC website's permanent opt-out of the credit raters' websites. Guess what, you can't do it without typing in your social security number. There has to be a better way. Why should anyone trust any ofthe 3?

Cognitive Dissonance's picture

Clearly they have a 14 year old running their Twitter "outreach" program.

Like...really.

Gilnut's picture

Most "IT Professionals" are a bunch of f'n morons, been working in the field for quite some time now, trust me I know.  Just keep in mind that these same morons are the one's writing the programs that drive your "self-driving" car.  Think about that.

Gilnut's picture

Most "IT Professionals" are a bunch of f'n morons, been working in the field for quite some time now, trust me I know.  Just keep in mind that these same morons are the one's writing the programs that drive your "self-driving" car.  Think about that.

vealparm's picture

Fucking unbelievable, the head of security at Equifax is a music and fine arts major. In other words she is a ding-bat and never in her college career had a semi difficult math, science or computer course.

FireBrander's picture

I'd bet a $1000 she couldn't format a drive and resinstall the OS.

FireBrander's picture

Dollar-to-a-doughnut says their "security" staff is at least 75% Indian imports.

FireBrander's picture

Look at what you have to MAIL IN to get a credti freeze....they want you to MAIL THIS via the post office!

"Include your full name, with middle initial and generation, such as JR, SR, II, III, etc.; Social Security number; date of birth (month, day and year); current address and previous addresses for the past two years; and $10 fee or a valid investigative or incident report or complaint with a law enforcement agency or the DMV. In addition, enclose one copy of a government issued identification card, such as a driver’s license, state ID card, etc., and one copy of a utility bill, bank or insurance statement, etc. Make sure that each copy is legible (enlarge if necessary), displays your name and current mailing address, and the date of issue (statement dates must be recent)."

Tapeworm's picture

 I am not so stupid as to believe that this is what they request. You get a tentative downvote unless you provide the link.

 If this is true, stay clear from my  projectile vomit.

kommissar's picture

i truly believe 14y/o's would be more competent, because they "hide" shit from their parents.

E.F. Mutton's picture

Equifax Spokesman Moe Howard declined comment, but instead poked CIO Larry Fine in the eyes and said "Wise up, Porcupine"

MANvsMACHINE's picture

Equifax spokesman Moe, from Curly, Moe, and Larry fame....

He must be one of the three stooges although in this case, it looks like the number of stooges might be in the millions.

The Last Mofo Standing's picture

"If at first you don't succeed, keep on sucking till you do succeed" ... Jerome "Curly" Howard.

The Last Mofo Standing

detached.amusement's picture

...and then turns to his associate from Dewey, Cheatem, and Howe, and says "now get me out of this mess"

meterman's picture

Accidentally my ass! They directed me to that site last week  when I tried to sign up for their "FREE" identity theft protection. Just more criminal BS from Equifax.

Richard Chesler's picture

Lynch the fuckers already.

FORD_FIESTA's picture

why not post the address of the top executives of the company.....maybe we can visit and have coffee?

nmewn's picture

Ya nooo, if Equifax had hired a chief of security who had stellar qualifications...like say, a music degree from UofG (lol)...this never would have happened. 

Oh...wait  ;-)

Icewater Enema's picture

For a company like this where data security is so mission critical, only a music degree from Juilliard would do.

spastic_colon's picture

“Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com.

"The legitimate Equifax domain was securityequifax2017.com. Sweeting’s was equifaxsecurity2017.com."

 

Wait what??!

Snot Boogie's picture

Haha.  I guess it is pretty confusing and stupid to make that the website for their fuck up.  I went to it but didn't do anything as it looked like it might be a phishing scam and I couldn't be sure.

MANvsMACHINE's picture

Last night, I made a "mistake" and visited www.equifaXXX.com.

I told my wife I was phished!

SubjectivObject's picture

tough call when Equifux is the phishing scam

detached.amusement's picture

no shit, right?  my company does random feaux phishing scams just to educate the dumbfucks, and that frickin site looked no different than your average run of the mill scam.  I chuckled and shook my head when coworkers clicked enroll to make sure they werent hacked.

IT professional coworkers, at that!!!

Shitonya Serfs's picture

I saw that too...but It really doesn't matter anymore.

RagaMuffin's picture

Give Equifax a few drones and a couple of nukes and it would be the US gvt............

JLee2027's picture

They won't survive the lawsuits. And Experian and Trans Union won't survive the loss of data.  Neither will the IRS.  Criminals can now impersonate anyone, they have all the data needed.  They can grab your driver's license and ruin it.  Or your tax refund.   This is a massive, massive hit that will be felt for years to come.

sleigher's picture

As a result of this, it was stated on the radio that tax returns may be delayed up to a year.  This is all bullshit and cover for the fact the .gov has no $'s.  

11b40's picture

I enrolled for the free monitoring service 4 days ago after checking their site, and learning that my info was among those compromised.  The email with additional instructions to complete the sign up was received last night, so a little slow on the uptake.

I checked my wife's info, and the answer came back that she was not on the list of problem customers....but my Mother was.  Yesterday, I got a call from her bank about a Capitol One credit card payment against her account.  No one in our family has a Capital One card.  I am her POA and manage her affairs.

Not 2 hours ago, AmEx sent my wife an email about a Home Depot charge, which she did not make. 

This is going to be an amazing clusterfuck.

Muppet's picture

The valid website offers free monitoring but I you need to re-enter your personal details (ssn, dob, etc).   Then you get an activate code.  When I tried to activate, the monitoring details would'nt load.   You can't reaccess because it says your activated but the monitoring page never loads.  I suspect they're way overloaded.

 

 

Hongcha's picture

Muppet, it's all turning to shit before our eyes.  The amount of electronical fuckery to ensue will be breathtaking.  Time to plant an herb garden and spark some chronic :0) !

Kassandra's picture

But wait! There's more!
Anyone who has your information from the Equifax hack, can unfreeze your credit at Experion.
The horses have truly left the barn.

https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-c...

JLee2027's picture

LOLOLOL

 

It's not funny, but there isn't a solution to this except full complete abandonment of the SSN as a way to ID people and the shutdown of all systems that use it.

DosZap's picture

BINGO,

Also, just what the FEDS want to set up a chipping center,or something 10x's worse.

Implied Violins's picture

SHIT.

Fucking BINGO, dammit.

RFID chips. Biometric scans. Facial recognition.

That is EXACTLY what this is all about (beyond simply destroying everyone's financial ability to deal with the increasing chaos).

Time to lock and load. This shit is now IN OUR FACE.

Sanity Bear's picture

That's absolutely beautiful.

Hongcha's picture

Makes me want to hoard cash, silver and firearms :0).  The electronic shit is working towards complete compromise and massive systemic failure.  Chaos to ensue eventually.  Sad!

Keltner Channel Surf's picture

"Fake Phishing" site?  You'd think, consistent with their recent actions, they'd at least have the decency to ensure it was a genuine, legitimately dangerous phishing URL.

Sanity Bear's picture

This one is secure. You can tell because it's "https" instead of just "http".

https://i.imgur.com/aLTnObq.gif

motoXdude's picture

USA!  USA!  USA!   Corporate Boobs Own it Lock, Stock and Barrel ALL THE WAY!  Equifux:   Do us all a favor and relocate to China!   These boobs don't deserve salaries or jobs!   Amazing what passes for "Professional" these days!  I think Hillary should be put in-charge of their cyber security!