The Columbus Dispatch

Equifax linked to fake site, phishing

- By Maggie Astor

People create fake versions of big companies’ websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.

Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsec­, Equifax’s page about the security breach that may have exposed 143 million Americans’ personal informatio­n. Several posts from the company’s Twitter account directed consumers to Sweeting’s version, securityeq­ They were deleted after the mistake was publicized.

By Wednesday evening, the Chrome, Firefox and Safari browsers had blackliste­d Sweeting’s site, and he took it down. By that time, he said, it had received about 200,000 hits.

Fortunatel­y for the people who clicked, Sweeting’s website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: “To enroll in compliment­ary identity theft protection and credit file monitoring, click here.” But a headline in large text differed: “Cybersecur­ity Incident & Important Consumer Informatio­n Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonat­ed By Phishing Sites?”

It would be just as easy for phishers to create their own versions of the Equifax page, and that would be bad news for anyone entering the informatio­n required to enroll in identity theft protection: their surname and the last six digits of their Social Security number. (In Sweeting’s version, the form was disabled so that no informatio­n was saved.)

“Their site is dangerousl­y easy to impersonat­e,” Sweeting said in an email, noting that he had created the site solely to draw attention to the weakness of Equifax’s security. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.

“It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” he added. “I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”

In a short statement Wednesday, Equifax said all posts containing the wrong link had been deleted.

“We apologize for the confusion,” the statement said. “Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsec­urity2017. and our company homepage is Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”

An Equifax spokeswoma­n, Marisa Salcines, did not respond when asked why the company had created a separate website rather than a subdomain of

That, cybersecur­ity experts said, was the key mistake. Phishers cannot create a page on the domain, so if the website were hosted there instead, it would be easy for users to tell that the page was legitimate.

“You would think that would be the obvious place to start,” said Rahul Telang, a professor of informatio­n systems at Carnegie Mellon University. “Create a subdomain so that if somebody tries to fake it, it becomes immediatel­y obvious.”

“Equifaxsec­urity2017. com,” on the other hand, looks so unofficial that Telang said even he had been unsure at first whether it was safe to enter his informatio­n.

Sweeting explained in his email that a Linux command, “wget,” allows anyone to download the contents of a website, “including all images, HTML, CSS, etc.”

“It was super easy to just suck their whole site down with wget and throw it on a $5 server,” he wrote. “It currently has the same type of SSL certificat­e as the real version, so from a trust perspectiv­e, there’s no way for users to authentica­te the real one vs. my server.”

Newspapers in English

Newspapers from United States