Someone Made a Fake Equifax Site. Then Equifax Linked to It.--NY Times

tuckeverlasting

tuckeverlasting

Recycles dryer sheets
Joined
Apr 25, 2011
Messages
124
Location
The Emerald City
by Maggie Astor

People create fake versions of big companies’ websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.

Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax’s page about the security breach that may have exposed 143 million Americans’ personal information. Several posts from the company’s Twitter account directed consumers to Mr. Sweeting’s version, securityequifax2017.com. They were deleted after the mistake was publicized.

By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting’s site, and he took it down. By that time, he said, it had received about 200,000 hits.

Fortunately for the people who clicked, Mr. Sweeting’s website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: “To enroll in complimentary identity theft protection and credit file monitoring, click here.” But a headline in large text differed: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”

Continue reading the main story

https://www.nytimes.com/2017/09/20/...version=Full&region=Marginalia&pgtype=article
 
Sweet creeping Cthulhu on a crutch! Who the hell is running their IT department?

Are TransUnion and Experian better, or have they just not screwed up in public yet?
 
Nightcap said:
Sweet creeping Cthulhu on a crutch! Who the hell is running their IT department?

Are TransUnion and Experian better, or have they just not screwed up in public yet?
Click to expand...

Unfortunately I suspect it's the latter. Experian has had a couple of famous breaches, but not as comprehensive as the Equifax one, AFAIK, and maybe they've been motivated to clean up their act a bit since being embarrassed.
 
Nightcap said:
Sweet creeping Cthulhu on a crutch! Who the hell is running their IT department?
Click to expand...

Did someone on Equifax IT tweet the bad link?

You are blaming the gun and should be blaming the shooter.
 
ace8 said:
Did someone on Equifax IT tweet the bad link?

You are blaming the gun and should be blaming the shooter.
Click to expand...

Not sure what that means, but as a career IT person I can tell you that it's brain-dead to set up a new domain if you're using it to collect sensitive information. If you look at the URL line in your browser when you're at Equifax, you'll see a lock, or the URL in green, indicating that it's an encrypted link and the other end is in fact "equifax.com." Do you have any idea who "equifaxsecurity2017.com" is? You should not trust that address. You should certainly not enter sensitive information into that website, but that's what Equifax expects you to do.

The biggest security flaw on the Internet is people. They get an email saying, "Hello, I am you bank. Your account may have be hacked. Please to provide your full name, social security numbers, account number, PIN..." and they actually comply. They get sent to a website they've never heard of and, just because they see Apple's log, they try to log in with their Apple ID and password, handing that information over to evildoers.

In sum: Equifax is manifestly incompetent.
 
Wow, this is bad, Some of you IT security retirees with great credentials(not necessary as we saw a music major was the old boss), apply for the job. Ask for big bucks Im sure they were already paying 7 figures. If you need a driver send me a PM, Im available after mom goes to bed.
 
The big problem is authenticating who one is talking to on the internet. Some good minds are working on that problem and we should see some improvements if the people in charge will implement them. (I'm looking at you American bankers who still won't do chip-and-pin properly.)

But, I fear that the same very vulnerable people who hire some drive-by 'contractor' to fix fake problems with their roof will still be taken by criminals.
 
Last edited:
You must log in or register to reply here.

Similar threads

MichaelB
Looks like Equifax was breached
10 11 12
Replies
289
Views
24K
audreyh1
audreyh1

Latest posts

Back
Top Bottom