Equifax Does it Again [Almost]: A lesson to be learned
The Great Equifax Breach of 2017, allowed hackers to obtain sensitive information from approximately 143 million U.S. consumers. In order “to assist” victims of the attack, Equifax set up a website where people could go learn whether or not they were affected by the breach.
Around the same time, a developer, Nick Sweeting, from Full Stack, set up a phishing site (an Equifax clone) to show just how easy it is for savvy hackers to set up sites that look like their legitimate counterparts, but are actually constructed to trick users into voluntarily giving up sensitive personal information.
According to The Verge , Sweeting said:
“I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,”
According to Sweeting, any information entered by visitors on that fake page is safe. Still, that doesn’t excuse Equifax from linking to a misspelled version of its own page – which happened, luckily for those who visited it, a harmless phishing page. Let this remind you of just how easy it is to set up a phishing site that looks exactly like the real site. According to Sweeting, it only took him about 20 minutes to clone the Equifax site.
And there’s a lesson to be learned here:
Whenever you are on a web site that asks you to input sensitive, personal information like your social security number, your street address, your credit card number(s), driver’s license number, or any other sensitive personal information, MAKE SURE YOU’RE ON THE CORRECT SITE. You can’t count on anyone else to keep you safe, you can’t count on any software program to keep you safe, you have to rely on your own good common sense. Take your time and verify before entering sensitive information on any website.
If you’re interested in learning more about this, here’s an excerpt from article from The Verge. There’s a link to the entire article at the end. Great reading.
For weeks, Equifax customer service has been directing victims to a fake phishing site
… Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,” so hopefully data entered on his site is relatively safe. Still, Equifax’s team linked out to his page.
Earlier this month, hackers broke into Equifax’s servers and stole 143 million people’s personal information, including their Social Security numbers. In response to the attack, Equifax set up a website — www.equifaxsecurity2017.com — for possible victims to verify whether they’re affected. Because the process involves sharing sensitive information, consumers have to trust they’re entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they’re already concerned was stolen.
Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours…
So just pray tell how will any of us know 100% that we will be safe? Moreover, can the “https” be cloned too?
Hi, just double check the address in the address bar. For instance. https://support.micorosoft.com, is not the same as https://microsoft.support.com. The name before the dot com, dot net, dot whatever is the domain. http://experian.com is not the same as http://www.experion.com – be careful of misspellings.
And most of the time fake sites do not use https:// but they could.
Thank you for sharing your info and insight. I am somewhat speechless but not surprised, because of the nature of the beast! Thanks again!
Have you seen the Equifax TV propaganda commercial? It mentions the breach, and recommends going to Equifax.com/scan for a one-time only scan to see if your email address has been compromised and is on the “dark web” Big Whoopie!!! I want to know if my personal information has been compromised! In my opinion that’s just ads insult to injury. It asks for your email address, then promises to send you an email with a link to see the results. The catch? You have to agree to their very brief “terms and conditions” which, in my opinion, is nothing more than getting your permission for them (and their partners) to solicit their products.
I got the scan 4 days ago and still haven’t got an email with a link to the results. The breach is bad enough. The way Equifax has handled it is abominable. No way should Congress allow them to remain in business for one more day.
This is for sure an ID problem. As long as this went on and the amount of information that was stolen. They have enough of information to be you. This is just not changing your credit card out and etc. This is very bad.
I’m hoping we have someone in Washington that will realize that these other bureaus like this should be checked out also with this many people in one spot. If these bureaus are going to exist we have got to have better protection than this. No where is going to be perfect but things can be done better and shared.