They say it never rains but it pours — and we imagine the team at Equifax is looking pretty avidly for the umbrellas right now.
After being the home of the data breach that sent 143 million Social Security numbers out the door, Equifax managed to link to a fake version of its website created by Nick Sweeting, a software engineer who was trying to demonstrate just how big a security liability the credit rating agency’s site really is.
Fake sites happen — and luckily, Mr. Sweeting was not a phisher vacuuming up illicit information. What is a bit unusual, however, is that the faked site tricked the real company, which it seems Mr. Sweeting’s site did. Several Tweets from Equifax directed consumers to his site, securityequifax2017.com, instead of the real one, equifaxsecurity2017.com.
The tweets came down, and various browsers have since blacklisted the fake site. But not before it got 200,000 hits.
The fake site looked an awful lot like the real one — the layout was the same and it had an identical prompt at the top: “To enroll in complimentary identity theft protection and credit file monitoring, click here.”
But then the headlines changed it up some — and made it clear what the site really was: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”
“Their site is dangerously easy to impersonate,” Mr. Sweeting said in an email. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.”
“It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” he added. “I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”
Equifax has apologized for the confusion — but has not answered what is considered the key question: Why make a separate site at all instead of placing this data on a subdomain of Equifax.com?
“You would think that would be the obvious place to start,” said Rahul Telang, a professor of information systems at Carnegie Mellon University. “Create a subdomain so that if somebody tries to fake it, it becomes immediately obvious.”
Mr. Telang further noted Equifax’s actions indicate the company had not really planned for a data breach.
“If you don’t have a plan in place, you will find different ways to screw it up,” he said. “Equifax is just a perfect example of that.”