Equifax Adds Insult to Injury With Scam Site Redirect

Equifax's response to a data breach of 143 million people's personal information, including their Social Security numbers, has left much to be desired. The company riled consumers once again after news reports revealed the company’s official Twitter account has been directing users to afake lookalike website.

Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax’s page about the security breach. Several posts from the company’s Twitter account directed consumers to Sweeting’s version, securityequifax2017.com. Equifax deleted its tweets after the error was publicized, but one of these tweets has been captured in a screenshot below.

Gizmodo's staff also found eight tweets containing the fake URL dating back to September 9th:

Sweeting’s website looks slightly different than the official Equifax website, but his website was upfront about what it was. (As of last night, the Chrome, Firefox and Safari browsers have blacklisted Sweeting's version. Sweeting told reporters that by then, the site had already received more than 200,000 hits.)

It's simple for phishers to create their own versions of the Equifax page, and that could have been catastrophic for those required to enroll in identity theft protection: They would have been required to enter their surname and the last six digits of their Social Security number. Sweeting disabled the form in his version, so no information was saved.

“Their site is dangerously easy to impersonate,” Sweeting said in an email to The New York Times, noting that his intentions––to draw attention to Equifax's weak security measures––were successful. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there. It’s in everyone’s interest to get Equifax to change this site to a reputable domain. I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”

In a statement yesterday, Equifax said all posts containing the wrong link had been deleted:

We apologize for the confusion. Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.

Creating a subdomain of the equifax.com website––and directing users there––would have avoided this PR nightmare altogether, because phisherscannot create pages on the equifax.com domain. An Equifax spokeswoman, Marisa Salcines, did not respond when asked why the company had created a separate website rather than a subdomain of equifax.com.