Equifax has been sending customers straight into a hacker’s trap for weeks
The credit management company Equifax has been sending customers to a fake “phishing” website for weeks, potentially causing them to hand over their personal data and full financial information to hackers.
The Verge reported Wednesday that Equifax representatives sent customers looking for help with the massive data breach — which potentially compromised 143 million people’s private information — to a copycat site thanks to a typographical error.
After the data breach was revealed earlier this month, Equifax established the domain www.equifaxsecurity2017.com to handle incoming customer questions and complaints. This website is not connected to Equifax’s main website.
“If users end up on the wrong site, they could end up leaking the data they’re already concerned was stolen,” the Verge reported.
On Wednesday, a user reached out to Equifax on Twitter asking for assistance. The responding tweet sent the user to www.securityequifax2017.com, which is an impostor site designed to look like the Equifax splash page.
The company deleted the erroneous tweet, but a quick scan of their Twitter feed showed that they have sent multiple customers to the phony address. Those tweets have been deleted now, as well.
Fortunately for users who followed the mistaken link, www.securityequifax2017.com is a “white hat” hacker site set up by developer Nick Sweeting as a demonstration of popular phishing techniques.
“I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting told The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”
Sweeting says he notified Equifax of their vulnerability and emailed them about his decoy site, but never got any response.
The Verge said, “Equifax’s entire response to the breach has been a mess. The company’s website set off alarms for lawyers who worried it might waive victims’ right to sue the company, and the response phone line representatives actually had no information and just directed concerned consumers back to the website.”