For nearly two weeks after a data breach exposed the personal information of some 143 million Equifax customers, the credit firm was accidentally directing victims to a phishing website for support.
Initially noted in a report from The Verge, a series of tweets responding to customer inquiries directed users to a fake website that was a misspelling of the actual website set up by Equifax to assist its data breach victims. The tweets, signed by “Tim,” sent users to securityequifax2017.com. However, the legitimate Equifax URL was equifaxsecurity2017.com.
Equifax was tweeting links to the fake URL as far back as September 9, while The Verge report was published on September 20. The tweets have since been removed.
SEE: Information security incident reporting policy (Tech Pro Research)
The original website set up by Equifax asked for specific personal information to confirm whether or not a given individual had been affected by the breach. A malicious website set up to look exactly the same as the original website could have caused huge security concerns.
Luckily for everyone involved, though, the fake website doesn’t seem to be malicious in nature. According to the report, developer Nick Sweeting told The Verge that he set up the site “because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it.” Doing so tends to make it easier for cloned sites to be made to scam users, he said. Sweeting also noted that no data will leave his site.
RSA senior director of advanced cyber defense, Peter Tran, said that the fact that there are some 143 million citizens who feel vulnerable and need help is a perfect “watering hole” for cybercriminals.
Attackers could respond with malicious solicitations to help, Tran said, and this is likely just the beginning of the fallout that will come as a response to this breach. As such, Tran said that copy cats will come out in droves, and will be “hard to spot amidst the chaos of post breach responses of this magnitude.” The problem is further exacerbated by the fact that users won’t know who to trust as they seek to mitigate the damage.
“Consumers need to be very aware of ‘honey holes’ offering free or very low cost services to help protect your identity or monitor your data as it is becoming increasingly difficult to vet the phishers and spoofers during the post breach recovery window,” Tran said. “This is an expected ripple effect.”
The problems are also made worse by social media, as it is easier than ever for victims to like and share the wrong information, which then becomes a “force multiplier” for the efforts of the cybercriminals, Tran said.
Users should be sure to double-check the URL of the website they go to for help. However, even Equifax’s own website has some serious flaws as it can provide inaccurate results, and could waive a victim’s ability to sue the company for the breach.
The 3 big takeaways for TechRepublic readers
- Equifax tweeted a link to a fake phishing site for weeks after a breach exposed 143 million users’ personal information.
- The site isn’t malicious, according to its creator, but it does highlight how easy it is for attackers to prey on victims of massive data breaches.
- Cybersecurity experts warn users to be wary of low-cost or free services offering help in the wake of the Equifax hack, and they should double-check that the URL is legitimate.