After a cyberattack that potentially exposed the personal information of 143 million people, the credit reporting agency Equifax set up www.equifaxsecurity2017.com, a website to help people determine whether they had been affected.
However, on multiple occasions over the span of weeks, the company's official Twitter account responded to customer inquiries by apparently directing them to a fake phishing site called www.securityequifax2017.com.
Luckily, the fake site — blocked or flagged by many Internet browsers, then taken down Wednesday afternoon — was set up by software engineer Nick Sweeting to educate people rather than steal their information. A banner on the top read: "Cybersecurity Incident & Important Consumer Information Which Is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
Still, it's an embarrassing development for the company that is struggling to regain public trust, especially considering that customers may have been directed to the fake site at precisely the moment they were seeking reassurance about the safety of their data.
The personal information leaked earlier this month included names, Social Security numbers, birthdates, addresses and, in some cases, driver's license numbers and credit card information.
It's not clear exactly how many times Equifax tweeted the fake site. Sweeting posted a screenshot that appears to show three different tweets, dating to Sept. 9.
"All posts using the wrong link have been taken down. We apologize for the confusion," an Equifax spokesperson told NPR, adding:
"Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com/, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages."
Equifax is facing criticism because after the security incident it chose to create an entirely new domain for customers to check whether they were affected — www.equifaxsecurity2017.com — rather than keep the response page within its own primary domain, equifax.com.
That makes it more difficult for customers to determine whether it is a real Equifax site, even as they are being asked to provide their last name and a portion of their Social Security number to check the safety of their personal information. Equifax did not immediately respond to NPR's request for comment about its choice of domain.
"I recommend companies direct people to a site that is trusted and part of their main domain, in order to make sure that something like this doesn't happen," Tarah Wheeler, a cybersecurity consultant at Red Queen Technologies, told NPR. "I'm grateful that the domain was registered by someone who was doing educational work and pointing out a problem like this, and not someone who's malicious."
That's because she has seen multiple sites that are close in name to www.equifaxsecurity2017.com but are actually phishing scams. These schemes are "100 percent anticipated," Wheeler says, and a reason many large companies buy up domains that are common misspellings of their domain.
"It's in everyone's interest to get Equifax to change this site to a reputable domain," Sweeting, a software engineer based in Medellín, Colombia, told NPR in a written statement. He called the site "dangerously easy to impersonate," adding that it "only took me 20 minutes to build my clone."
"The 'wget' command on linux allows you to download a website, including all images, html, css, etc. Using this command, it was very easy to just suck their whole site down and throw it on a $5 server. It currently has the same type of SSL certificate as the real version, so from a trust perspective, there's no way for users to authenticate the real one vs my server. They should either change it to https://equifax.com (with an EV cert), or take it down altogether.
"I hope other companies are able to learn from this mistake, and remember to publish content only on trusted domains. ... I just hope the employee who posted the tweet doesn't get fired, they probably just Google'd for the URL and ended up finding the fake one instead. The real blame lies with the people who originally decided to set the site up badly."
Wheeler stresses that responding to a security incident like this is "extraordinarily difficult."
"The level of anger and hatred being directed at Equifax doesn't take into account how difficult good cybersecurity incident response is to pull off," she says, adding that it's crucial for companies to rehearse their response in advance. Equifax's response to this breach, she says, "showed I think very clearly that the kind of preparation that goes into good incident response hadn't been done in advance."