In the wake of a catastrophic cyberattack handed hackers the personal info of 143 million people (including, probably, yours), credit reporting agency Equifax has been working hard to contain the damage and restore some semblance of trust.
That might be a little tougher after reports emerged that the company was sending people to a fake website set up by a software engineer to teach Equifax a lesson.
“Their site is dangerously easy to impersonate,” said the impersonator, a developer named Nick Sweeting. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.” Phishing sites are websites that pretend to be other websites in order to steal people’s personal information.
Equifax originally set up a website to hold all their information regarding the hack and what consumers could do at equifaxsecurity2017.com.
Sweeting copied the look of Equifax’s site to make the new website securityequifax2017.com. All he did was switch the words “security” and “Equifax.” The site was exactly the same as Equifax’s, except for a giant headline that read “Why did Equifax use a domain that’s so easily impersonated by phishing sites?”
It was supposed to be a simple lesson in good web development. And then Equifax linked to it. Over and over again.
Sweeting assured consumers that he wasn’t trying to get anyone’s information, and has since taken the site down, but he was baffled as to why Equifax created a website that was so easy to fake. It would have been far more secure, he said, make a site as a subdomain on Equifax.com.
“I hope other companies are able to learn from this mistake, and remember to publish content only on trusted domains. I just hope the employee who posted the tweet doesn't get fired, they probably just Google'd for the URL and ended up finding the fake one instead,” said Sweeting.
“The real blame lies with the people who originally decided to set the site up badly.”
Equifax released its own statement Wednesday apologizing for the confusion and reaffirming that there were only two reputable sources for getting help from Equifax.
“We apologize for the confusion,” the statement said. “Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”
Scott Berson: 706-571-8578, @ScottBersonLE