Equi-fail: Equifax directs customers affected by hack to fake phishing website
Just when you thought things couldn’t get worse for Equifax, leave it to the company responsible for one of the worst cybersecurity blunders in history to screw up yet again. The credit services company has apparently been directing customers affected by the attack to a fake phishing site via Twitter.
Earlier this month, Equifax announced they had discovered a breach in May that exposed the personal information of over 143 million American consumers. As businesses typically do after customer information is stolen, the company quickly set up a free credit monitoring service for people affected by the hack. Customers were directed to sign up for the service at www.equifaxsecurity2017.com to enroll. However, over the past few days, an Equifax employee directed concerned consumers Twitter to sign up for the service through securityequifax2017.com via the company’s official Twitter account. Readers with a sharp eye will notice that address is not the correct website. In fact, it’s a non-functional phishing site set up by a cybersecurity engineer named Nick Sweeting to show how easy it would be to dupe unwary consumers into giving out even more information.
Sweeting reportedly registered the domain on September 8 (the day that Equifax announced the breach) for USD$10. Sweeting has stated that the site (now inactive) was harmless and retained no customer information. There was no contact information on the site, and several of the links were broken or redirected to the music video of Rick Astley’s “Never Gonna Give You Up.” The site was blacklisted by most browsers but managed to gain over 200,000 hits in the short time it was up. A large part of those hits likely came from the official Equifax Twitter account.
An employee named Tim responded to multiple Equifax customer’s tweets with a link to Sweeting’s fake website as far back as September 9th. Those replies have since been deleted, but the Internet does not forget: some people were able to capture screenshots of Equifax’s replies before they could be deleted.
Sweeting said that he created the fake website in an effort to show how easy it would be for someone to take advantage of the situation. He chastised Equifax, saying that the official URL (equifaxsecurity2017.com) and website look like something a legitimate phisher would use. Sweeting’s fake site was meant to be a warning to consumers about the dangers of phishing attempts and to show how easy it is to trick people into giving out their personal information. Unfortunately for Equifax, the trick worked a bit too well.