Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com)

← Back to Stories (view on slashdot.org)

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com)

Posted by msmash on Wednesday September 20, 2017 @08:05AM from the security-nightmare dept.

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.

14 of 154 comments (clear)

Min score:

Reason:

Sort:

Is someone paying them to be this stupid? by H3lldr0p · 2017-09-20 08:09 · Score: 5, Insightful

Because it's incredible how stupid this whole thing has been.
How can anyone be this bad at their core business?
1. Re:Is someone paying them to be this stupid? by fightinfilipino · 2017-09-20 08:11 · Score: 3, Insightful
  
  Because it's incredible how stupid this whole thing has been.
  How can anyone be this bad at their core business?
  the "free market" at work: screwing over ordinary people because who's going to stop them?
2. Re:Is someone paying them to be this stupid? by Pascoea · 2017-09-20 08:22 · Score: 3, Insightful
  
  vote to sweep the entire company clean....and start over.
  Won't happen. There is no way they can afford that many multi-million dollar golden parachutes at the same time. And you're not going to see a single executive actually punished over this.
3. Re:Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 08:26 · Score: 2, Insightful
  
  Because a government enabled credit-reporting oligopoly is totally the same thing as a free market! Get the government to run it like healthcare and the postal service, that'll fix everything!
4. Re: Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 08:52 · Score: 2, Insightful
  
  Pfffft, they're too big to fail (or too much money over government influence).
  They'll get a couple lashes from a whip to set an example and lose some revenue but they'll continue on. Consumers are their main product, not their customer.
  Businesses and banks will continue using them as if nothing happened. Years or decades later, information from this breach will be used by independent groups worldwide for identity theft related purchases. They may even drum up some new business for their consumer directed credit services. The entire system is a sham, it's not going anywhere. I'm buying some Equifax stock right now while it drops, they'll ultimately grow back... That's how shams at the highest levels work.
5. Re: Is someone paying them to be this stupid? by liquid_schwartz · 2017-09-20 10:48 · Score: 4, Insightful
  
  When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US - approx 120,000,000 people, and it's going up every day.
  To be fair the government isn't even trying to run health care efficiently. If it was Canada with a market 1/10th the size of the US, wouldn't be getting lower drug pricing. The states would be able to band together for greater purchasing power (or insurers across state lines for that matter). You could lower the cost of government medicine by >25% in an afternoon by merely dropping barriers that have been artificially put in place to keep well connected drug companies flush with cash. The Feds have clearly chosen the side they favor with health care policy - and it's drug companies not consumers, patients, or taxpayers.
6. Re:Is someone paying them to be this stupid? by ShanghaiBill · 2017-09-20 10:56 · Score: 4, Insightful
  
  Punishing stupid with jail time has been proven to reduce, though not eliminate, stupid's influence on the average citizen.
  This is an idiotic knee-jerk solution. America already imprisons far more people than other countries, and we expend huge resources to do it, despite evidence that it increases future crime through direct recidivism as well as indirectly by destroying families and degrading communities.
  So now we are going to put even more people in prison, not because they are violent, but because they are stupid?
  Where is your "proof" that prison reduces stupidity? The PIC is a result of stupidity, not a solution to it.
  A far better solution is monetary penalties, that reduce the harm from stupidity by incentivising investors and shareholders to demand verified compliance with industry best practices.
7. Re: Is someone paying them to be this stupid? by quintus_horatius · 2017-09-20 11:38 · Score: 4, Insightful
  
  America already imprisons far more people than other countries, and we expend huge resources to do it, despite evidence that it increases future crime through direct recidivism as well as indirectly by destroying families and degrading communities.
  Maybe that's because we're putting the wrong people in jail.
8. Re:Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 13:52 · Score: 5, Insightful
  
  So now we are going to put even more people in prison, not because they are violent, but because they are stupid?
  No, but criminally negligent on such an epic scale it can be barely conveyed.
  If the financial information of 143 million US people has been compromised, this is literally almost every working age person in the country who has a credit history having their personal information put in the clear. And since people don't apparently have a choice in whether these assholes get their information, they could ruin the lives of people who didn't have a say in this company having their information for decades to come.
  The sheer magnitude of this fuck up is impossible to explain, because it could literally result in tens of billions in damages to consumers because some fucking idiot was too lazy or stupid to apply a known security patch. You know, like "well, the plane might explode if you fly above 5000 feet but we'll keep that secret" kind of depraved indifference.
  
  A far better solution is monetary penalties, that reduce the harm from stupidity by incentivising investors and shareholders to demand verified compliance with industry best practices.
  Mother fucking verified compliance with industry best practices????? Are you fucking kidding us? Incenti-fucking-vising goddamned shareholders??? Jesus fucking Christ, are you thinking when you type this shit?
  This colossal fuck up means pretty much every adult in America with a credit history could be spending the rest of the lives subject to fraud. All of them. Anybody who shows up in this massive database, with the most vital and sensitive and unalterable information about them.
  No, the only real response to this is Equifax pretty much needs to be wiped out as a legal entity, and the executives need to be treated as if they'd willfully destroyed lives to save a few bucks -- because they did. They were so grossly incompetent with managing the information of pretty much everyone you can't fucking incentivise investors and shareholders, you need to ensure the punishment is commensurate with the damage.
  This is beyond mother fucking "industry best practices". This is devastating. And at this point, that potential damage far exceeds the damage from hurricanes, tornadoes, and earthquakes, because tens of millions of people stand to lose everything they own.
  There's no fixing this, bullshit offer for credit monitoring aside, this is pretty much potentially a financial nuclear bomb.
  There's simply no way you can treat this as a fine, a slap on the wrist, and a fucking expectation that the fucking shareholders will scold them and make it not happen again.
  This pretty much has to have a scorched earth, prison, and public executions kind of response ... maybe not that last one, but this has to be responded to so harshly it isn't funny.
  But don't say stupid shit which implies that the "market" will correct this or that anybody involved in this fiasco should ever have anything to do with people's financial information ever again. This needs to be the equivalent of disbarment, banishment, and a lifetime of having every person impacted by this free to punch these clowns in the face for the rest of their lives -- because the fucking victims of this (which is pretty much everybody) will be dealing with this for the rest of their lives.
  Monetary fucking policies and fucking industry best practices. I sincerely hope you and everyone you know gets royally fucked by this, and then let's see what you think about shareholders and compliance with industry fucking best practices.
  Idiot.
  This is probably the highest value data breach in the history of mankind, and alarmingly that isn't even hyperbole. And you think industry standards are going to fix this?
9. Re: Is someone paying them to be this stupid? by ShanghaiBill · 2017-09-20 14:14 · Score: 5, Insightful
  
  Maybe that's because we're putting the wrong people in jail.
  Prison should be for violent people that need to be physically separated from civilized society. For everyone else there are more appropriate punishments. For instance, the CEO of Equifax could wear an anklet tracking device while spending 60 hours per week changing bedpans in a nursing home for the next ten years. Instead of costing taxpayers, he would be benefiting society, and his family would still be intact.
  If he is separated from his family, his children will grow up without moral guidance, thus increasing the chance that they will get MBAs and try to become CEOs themselves, and the cycle will continue for yet another generation.
Additionally by 93+Escort+Wagon · 2017-09-20 08:21 · Score: 4, Insightful

It's worth pointing out that it's pretty stupid to use a link obfuscator (aka short URL service) in this situation... which this "Tim" person from Equifax also did - he used a link shortener to direct people to the fake website!
(I'd argue link shorteners are evil in general, but that's a discussion for another day)

--
#DeleteChrome
Wow by JohnFen · 2017-09-20 08:22 · Score: 3, Insightful

The level of Equifax's ongoing idiocy is amazing. Almost impressive, even.
The fact that they can't even get the most basic security things right strongly suggests that their core business activities are likely to be run with the same amount of incompetence.
It's still not safe! by sentiblue · 2017-09-20 08:34 · Score: 5, Insightful

So equifax.com sits in an IP block that is directly managed by Equifax itself. Whereas, equifaxsecurity2017.com is in a block owned by CloudFlare.

This leads me to believe that the hackers didn't just get the website and the database. They got the entire network and that Equifax up until today is unsure if their network is safe yet. Equifax's decision to host the new website in CloudFlare is to make sure that they don't give additional information to hackers who are ALREADY in.
1. Re:It's still not safe! by Anonymous Coward · 2017-09-20 08:55 · Score: 2, Insightful
  
  They could have easily created a subdomain under the official equifax.com domain but still made the IP under Cloudflare or whatever they wanted to do. They're just idiots.