Culture

Equifax’s Official Twitter Account Has Been Directing Breach Victims To A Fake Phishing Site For Weeks

Getty Image

Did you think the Equifax debacle couldn’t possibly grow more cringeworthy? Silly rabbit. Consumers have been rushing to protect themselves following the company’s disclosure of a cybersecurity breach that could have unleashed the private information (including social security numbers) of up to 143 million U.S. consumers into the ether. This admission followed multiple executives of the credit bureau unloading stock, and there was an even earlier incident that has come to light. And now — for the company’s latest head-desk move — it’s been revealed that Equifax’s official Twitter account has been directing customers to a fake phishing site.

It’s all amazing. Gizmodo dug up eight now-deleted tweets (that were as old as September 9) that did this deed and took a screencap for posterity.

And as CNN money confirms, the links went not to equifaxsecurity2017.com — the frustrating site where one plugs in their info and is generally told that they “may” be a breach victim — but instead to “securityequifax2017.com.” Considering that the credit bureau’s Twitter page was operating as customer service, this is a massive misstep.

However (and no thanks to Equifax), this situation hasn’t actually grown worse. The fake domain was purchased for $10 by a software engineer named Nick Sweeting. He designed the site “to look like a phishing site,” and he did so with one purpose — to point out how clumsily Equifax was responding to their PR crisis. “It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” Sweeting told CNN. “I can guarantee there are real malicious phishing versions already out there.”

Sweeting insists that his site (which he created in only 20 minutes) doesn’t store any user information, but he says that he’s received many thousands of hits after users followed Equifax’s tweeted links. His idea took off after he observed how silly the equifaxsecurity2017.com domain name was for Equifax to use. It’s not part of their official domain, and it’s long, confusing, and easy to tweak for phishing opportunity. Well, Sweeting’s plan worked, so hopefully Equifax and its breach victims are taking note.

(Via CNN Money & Gizmodo)

×