Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com)

← Back to Stories (view on slashdot.org)

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com)

Posted by msmash on Wednesday September 20, 2017 @08:05AM from the security-nightmare dept.

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.

40 of 154 comments (clear)

Min score:

Reason:

Sort:

Is someone paying them to be this stupid? by H3lldr0p · 2017-09-20 08:09 · Score: 5, Insightful

Because it's incredible how stupid this whole thing has been.
How can anyone be this bad at their core business?
1. Re:Is someone paying them to be this stupid? by fightinfilipino · 2017-09-20 08:11 · Score: 3, Insightful
  
  Because it's incredible how stupid this whole thing has been.
  How can anyone be this bad at their core business?
  the "free market" at work: screwing over ordinary people because who's going to stop them?
2. Re:Is someone paying them to be this stupid? by cayenne8 · 2017-09-20 08:13 · Score: 4, Interesting
  
  I would think at this point, the shareholders could unite, and vote to sweep the entire company clean....and start over.
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
3. Re:Is someone paying them to be this stupid? by phantomfive · 2017-09-20 08:16 · Score: 3, Funny
  
  How can anyone be this bad at their core business?
  Their core business is, literally, collecting and sharing information. They shared it with a few too many people in this case, but hey, can you blame an over-achiever?
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:Is someone paying them to be this stupid? by burtosis · 2017-09-20 08:17 · Score: 5, Funny
  
  Hahahaha, good one - free market. We don't need those stupid consumer protections ^H^H^H^H^H^H^H^H^H^H^H^H^H^H overreaching regulations.
5. Re:Is someone paying them to be this stupid? by king+neckbeard · 2017-09-20 08:19 · Score: 3, Interesting
  
  How can anyone be this bad at their core business?
  Their core business is maintaining an oligopoly on an essential service, and they do that well. Keeping information safe is not part of their core business, and thus, they pay little attention to it.
  
  --
  This is my signature. There are many like it, but this one is mine.
6. Re:Is someone paying them to be this stupid? by Pascoea · 2017-09-20 08:22 · Score: 3, Insightful
  
  vote to sweep the entire company clean....and start over.
  Won't happen. There is no way they can afford that many multi-million dollar golden parachutes at the same time. And you're not going to see a single executive actually punished over this.
7. Re:Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 08:26 · Score: 2, Insightful
  
  Because a government enabled credit-reporting oligopoly is totally the same thing as a free market! Get the government to run it like healthcare and the postal service, that'll fix everything!
8. Re:Is someone paying them to be this stupid? by emil · 2017-09-20 08:27 · Score: 2
  
  A more likely scenario is civil damages exceeding the value of the corporation, followed by chapter 7 bankruptcy.
9. Re:Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 08:32 · Score: 2
  
  Ah, the elusive ideal free market. It must exist just across the way from ideal communism.
10. Re: Is someone paying them to be this stupid? by jaffreywali · 2017-09-20 08:34 · Score: 3, Informative
  
  Govt doesnâ(TM)t run healthcare in the US and the postal service actually does a good job of delivering mail.
11. Re:Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 08:36 · Score: 2, Funny
  
  Do you think they'd then be required to sell their database info to the highest bidder to recoup loses?
12. Re:Is someone paying them to be this stupid? by Pascoea · 2017-09-20 08:47 · Score: 5, Funny
  
  Do you think they'd then be required to sell their database info
  I thought I heard it's already available online somewhere. Can't put my finger on where I heard that though.
13. Re: Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 08:52 · Score: 2, Insightful
  
  Pfffft, they're too big to fail (or too much money over government influence).
  They'll get a couple lashes from a whip to set an example and lose some revenue but they'll continue on. Consumers are their main product, not their customer.
  Businesses and banks will continue using them as if nothing happened. Years or decades later, information from this breach will be used by independent groups worldwide for identity theft related purchases. They may even drum up some new business for their consumer directed credit services. The entire system is a sham, it's not going anywhere. I'm buying some Equifax stock right now while it drops, they'll ultimately grow back... That's how shams at the highest levels work.
14. Re:Is someone paying them to be this stupid? by dcollins117 · 2017-09-20 09:21 · Score: 2
  
  How can anyone be this bad at their core business?
  I'm a member of two class action suits against Equifax. The first, ongoing since 2008, is because they violated the Fair Debt Reporting Act. I was also affected by this data breach. A quick Googling reports that there are at least 23 class action suits for this latest incident alone. In the scummy consumer credit marketplace incompetence is de rigueur.
15. Re:Is someone paying them to be this stupid? by dnaumov · 2017-09-20 09:24 · Score: 2
  
  Because it's incredible how stupid this whole thing has been.
  How can anyone be this bad at their core business?
  the "free market" at work: screwing over ordinary people because who's going to stop them?
  You misspelled "government protected racket".
16. Re: Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 10:24 · Score: 2, Funny
  
  No, he's Jesuit.
17. Re: Is someone paying them to be this stupid? by liquid_schwartz · 2017-09-20 10:48 · Score: 4, Insightful
  
  When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US - approx 120,000,000 people, and it's going up every day.
  To be fair the government isn't even trying to run health care efficiently. If it was Canada with a market 1/10th the size of the US, wouldn't be getting lower drug pricing. The states would be able to band together for greater purchasing power (or insurers across state lines for that matter). You could lower the cost of government medicine by >25% in an afternoon by merely dropping barriers that have been artificially put in place to keep well connected drug companies flush with cash. The Feds have clearly chosen the side they favor with health care policy - and it's drug companies not consumers, patients, or taxpayers.
18. Re:Is someone paying them to be this stupid? by ShanghaiBill · 2017-09-20 10:56 · Score: 4, Insightful
  
  Punishing stupid with jail time has been proven to reduce, though not eliminate, stupid's influence on the average citizen.
  This is an idiotic knee-jerk solution. America already imprisons far more people than other countries, and we expend huge resources to do it, despite evidence that it increases future crime through direct recidivism as well as indirectly by destroying families and degrading communities.
  So now we are going to put even more people in prison, not because they are violent, but because they are stupid?
  Where is your "proof" that prison reduces stupidity? The PIC is a result of stupidity, not a solution to it.
  A far better solution is monetary penalties, that reduce the harm from stupidity by incentivising investors and shareholders to demand verified compliance with industry best practices.
19. Re: Is someone paying them to be this stupid? by ShanghaiBill · 2017-09-20 11:00 · Score: 3
  
  When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US
  The US government spends about $6000 per capita on healthcare. Sweden's government spends about $4000 per capita. So America's health care is actually more socialist than Sweden's by total expenditure, although slightly less (60% vs 75%) as a percentage.
20. Re:Is someone paying them to be this stupid? by rholtzjr · 2017-09-20 11:14 · Score: 3, Interesting
  
  I think a lawyer said it is pretty much over for Equifax. 20 billion in damages. Yikes!
  Yea, so when your IT folks raise concerns about security..... DON'T IGNORE THEM!
21. Re: Is someone paying them to be this stupid? by quintus_horatius · 2017-09-20 11:38 · Score: 4, Insightful
  
  America already imprisons far more people than other countries, and we expend huge resources to do it, despite evidence that it increases future crime through direct recidivism as well as indirectly by destroying families and degrading communities.
  Maybe that's because we're putting the wrong people in jail.
22. Re: Is someone paying them to be this stupid? by bjverzal · 2017-09-20 12:20 · Score: 2
  
  Mistake? A mistake is applying the wrong patch. Negligence is applying none.
23. Re:Is someone paying them to be this stupid? by Anonymous Coward · 2017-09-20 13:52 · Score: 5, Insightful
  
  So now we are going to put even more people in prison, not because they are violent, but because they are stupid?
  No, but criminally negligent on such an epic scale it can be barely conveyed.
  If the financial information of 143 million US people has been compromised, this is literally almost every working age person in the country who has a credit history having their personal information put in the clear. And since people don't apparently have a choice in whether these assholes get their information, they could ruin the lives of people who didn't have a say in this company having their information for decades to come.
  The sheer magnitude of this fuck up is impossible to explain, because it could literally result in tens of billions in damages to consumers because some fucking idiot was too lazy or stupid to apply a known security patch. You know, like "well, the plane might explode if you fly above 5000 feet but we'll keep that secret" kind of depraved indifference.
  
  A far better solution is monetary penalties, that reduce the harm from stupidity by incentivising investors and shareholders to demand verified compliance with industry best practices.
  Mother fucking verified compliance with industry best practices????? Are you fucking kidding us? Incenti-fucking-vising goddamned shareholders??? Jesus fucking Christ, are you thinking when you type this shit?
  This colossal fuck up means pretty much every adult in America with a credit history could be spending the rest of the lives subject to fraud. All of them. Anybody who shows up in this massive database, with the most vital and sensitive and unalterable information about them.
  No, the only real response to this is Equifax pretty much needs to be wiped out as a legal entity, and the executives need to be treated as if they'd willfully destroyed lives to save a few bucks -- because they did. They were so grossly incompetent with managing the information of pretty much everyone you can't fucking incentivise investors and shareholders, you need to ensure the punishment is commensurate with the damage.
  This is beyond mother fucking "industry best practices". This is devastating. And at this point, that potential damage far exceeds the damage from hurricanes, tornadoes, and earthquakes, because tens of millions of people stand to lose everything they own.
  There's no fixing this, bullshit offer for credit monitoring aside, this is pretty much potentially a financial nuclear bomb.
  There's simply no way you can treat this as a fine, a slap on the wrist, and a fucking expectation that the fucking shareholders will scold them and make it not happen again.
  This pretty much has to have a scorched earth, prison, and public executions kind of response ... maybe not that last one, but this has to be responded to so harshly it isn't funny.
  But don't say stupid shit which implies that the "market" will correct this or that anybody involved in this fiasco should ever have anything to do with people's financial information ever again. This needs to be the equivalent of disbarment, banishment, and a lifetime of having every person impacted by this free to punch these clowns in the face for the rest of their lives -- because the fucking victims of this (which is pretty much everybody) will be dealing with this for the rest of their lives.
  Monetary fucking policies and fucking industry best practices. I sincerely hope you and everyone you know gets royally fucked by this, and then let's see what you think about shareholders and compliance with industry fucking best practices.
  Idiot.
  This is probably the highest value data breach in the history of mankind, and alarmingly that isn't even hyperbole. And you think industry standards are going to fix this?
24. Re: Is someone paying them to be this stupid? by ShanghaiBill · 2017-09-20 14:14 · Score: 5, Insightful
  
  Maybe that's because we're putting the wrong people in jail.
  Prison should be for violent people that need to be physically separated from civilized society. For everyone else there are more appropriate punishments. For instance, the CEO of Equifax could wear an anklet tracking device while spending 60 hours per week changing bedpans in a nursing home for the next ten years. Instead of costing taxpayers, he would be benefiting society, and his family would still be intact.
  If he is separated from his family, his children will grow up without moral guidance, thus increasing the chance that they will get MBAs and try to become CEOs themselves, and the cycle will continue for yet another generation.
25. Re:Is someone paying them to be this stupid? by cbiltcliffe · 2017-09-20 15:26 · Score: 2
  
  Oh, if only I had mod points.
  How much saliva did you have to wipe off your monitor and keyboard after typing that up?
  That was.....brilliant.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
26. Re:Is someone paying them to be this stupid? by Bert64 · 2017-09-20 19:29 · Score: 2
  
  Some governments and industries require that sites be pentested prior to going live, even the most incompetent of pentesters would catch admin/admin.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
27. Re: Is someone paying them to be this stupid? by KGIII · 2017-09-20 21:48 · Score: 2
  
  You have to work really hard to be this incompetent. Doing nothing, nothing all all - just playing mine sweeper, has to be better than this.
  
  --
  "So long and thanks for all the fish."
28. Re: Is someone paying them to be this stupid? by burtosis · 2017-09-20 23:41 · Score: 2
  
  Riiiiight.... moral guidance. Because these people are not only the leaders of companies, they are the altruistic moral guiding light of everyone around them.
29. Re: Is someone paying them to be this stupid? by burtosis · 2017-09-20 23:45 · Score: 2
  
  Not mistakes, willful neglect and negligence, or outright criminal behavior. Plus everyone here is forgetting another aspect of jailing someone - punishment or "getting even" with the person who did the crime. I don't care if it deters not a single person, you jail people and screw thier lives in cases like this because they would be too busy enjoying time on thier second smaller yacht, away from thier larger one, to give a flying fk if you just forced them out.
Put them to death! by emil · 2017-09-20 08:16 · Score: 2

SFWeekly is calling for all Equifax employees to be executed.
In all seriousness, the Equifax credit freeze does not work very well, and their freeze needs to work over Experian and TransUnion (and Equifax should pay for it).
1. Re:Put them to death! by Rick+Schumann · 2017-09-20 08:44 · Score: 2
  
  Heads on poles outside their corporate offices. I'm down with that.
Additionally by 93+Escort+Wagon · 2017-09-20 08:21 · Score: 4, Insightful

It's worth pointing out that it's pretty stupid to use a link obfuscator (aka short URL service) in this situation... which this "Tim" person from Equifax also did - he used a link shortener to direct people to the fake website!
(I'd argue link shorteners are evil in general, but that's a discussion for another day)

--
#DeleteChrome
1. Re:Additionally by Quirkz · 2017-09-20 08:41 · Score: 2
  
  (I'd argue link shorteners are evil in general, but that's a discussion for another day)
  Yeah, it seems like obfuscation of links causes more problems than I'd like. But in a world where lots of common services have a character limit (not just Twitter--even Slashdot's signature function is severely limited), sometimes a shortener is a necessity.
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Wow by JohnFen · 2017-09-20 08:22 · Score: 3, Insightful

The level of Equifax's ongoing idiocy is amazing. Almost impressive, even.
The fact that they can't even get the most basic security things right strongly suggests that their core business activities are likely to be run with the same amount of incompetence.
1. Re:Wow by whoever57 · 2017-09-20 08:35 · Score: 4, Funny
  
  Don't forget that they have a talent deficit: they just lost their head of information security.
  
  --
  The real "Libtards" are the Libertarians!
2. Re:Wow by computational+super · 2017-09-20 09:00 · Score: 4, Funny
  
  AND they have nobody to compose a new corporate jingle!
  
  --
  Proud neuron in the Slashdot hivemind since 2002.
It's still not safe! by sentiblue · 2017-09-20 08:34 · Score: 5, Insightful

So equifax.com sits in an IP block that is directly managed by Equifax itself. Whereas, equifaxsecurity2017.com is in a block owned by CloudFlare.

This leads me to believe that the hackers didn't just get the website and the database. They got the entire network and that Equifax up until today is unsure if their network is safe yet. Equifax's decision to host the new website in CloudFlare is to make sure that they don't give additional information to hackers who are ALREADY in.
1. Re:It's still not safe! by Anonymous Coward · 2017-09-20 08:55 · Score: 2, Insightful
  
  They could have easily created a subdomain under the official equifax.com domain but still made the IP under Cloudflare or whatever they wanted to do. They're just idiots.
The only reasonable solution... by sinij · 2017-09-20 08:52 · Score: 5, Funny

The only reasonable solution here is to jail Nick Sweeting for fraud.