You can now add another blunder to the already long list of Equifax’s missteps in the wake of the massive breach it announced earlier this month: the company has been pointing affected customers to a fake phishing site.
In a series of tweets pushed out over the last two weeks, the company sent them to securityequifax2017.com instead of equifaxsecurity2017.com, the address of the dedicated Web site the company set up to inform users of the incident and allow them to sign up for credit file monitoring and identity theft protection.
Luckily, the site on securityequifax2017.com was created by developer Nick Sweeting, who had no intention of harvesting users’ information.
He also made sure that no data would leave the page and removed any risk of leaking data via network requests by redirecting them back to the user’s own computer.
“I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” he told The Verge.
“It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”
He told Gizmodo that it took him only 20 minutes and $10 to set up the clone site. The site is now detected as malicious and blocked by Google Safe Browsing.
Equifax has since deleted the tweets in question, apologized “for the confusion”, and reiterated that the correct Web site is located at equifaxsecurity2017.com. So it seems that they did not chose to learn from this demonstration.