As more information emerges about Equifax and how it has handled the large data breach that exposed millions of consumers, it has become easier to believe that this company shouldn’t be trusted to handle anyone’s private information. The latest jaw-dropper comes from reports that Equifax ended up tweeting the wrong link to consumers concerned about the hacking, which could have put them in even more danger of hacking.
Mashable explains:
Following a data breach of this size, it's not unusual to see websites pop up that mimic official help pages. Typically, the goal of these phishing sites is to trick worried consumers into handing over their personal information. In this case, Equifax created a very real site — https://www.equifaxsecurity2017.com— where people can enter their last name along with the last six digits of their social security number to see if they were affected by the hack.
Unsurprisingly, someone cloned that site and hosted that copy at a very similar URL: https://securityequifax2017.com. The two sites, one real and one fake, look the same to the casual observer. In fact, they are so easily confused that Equifax itself apparently can't tell the difference.
The offending tweets were ultimately deleted by Equifax—but the Internet got screenshots before that happened, of course.
The person behind the fake site linked in the now-deleted tweets is developer Nick Sweeting. The site isn’t malicious in any way and makes it clear that it’s a fake site. In an interview with The Verge, Sweeting explains why he did it:
Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax's response page. “I made the site because Equifax made a huge mistake by using a domain that doesn't have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he "removed any risk of leaking data via network requests by redirecting them back to the user's own computer," so hopefully data entered on his site is relatively safe. Still, Equifax's team linked out to his page. That isn't reassuring.
Prior to Equifax customer service sharing the imposter site, Sweeting says he emailed the support team and tweeted to Equifax that he spotted a potential vulnerability.
In light of all the continued vulnerabilities around online security, it’s important to stay on your toes. Equifax’s Twitter mistakes reminds us just how easy it is for people to fall into common phishing scams and how they had a data breach in the first place. Many people are panicked about their private information being out there—and rightfully so. Unfortunately, there are scammers who will happily take advantage of that panic to wreak more harm.