The cyberattack on Equifax impacted around 50% of the population of the United States. 143 million U.S. consumers may have had their sensitive data illegally obtained by hackers, as did around 400,000 individuals in the United Kingdom and 100,000 consumers based in Canada.
To advise victims of the Equifax data breach by mail would have been a massive and cost prohibitive task. Instead, Equifax set up a website where breach victims could go to and review if their data had been exposed and also sign up for free credit monitoring and identity theft protection services.
The official website used for this purpose is equifaxsecurity2017.com, where users are required to enter some personal information as identification – the last six digits of their Social Security number and their complete name.
That site then brought visitors to another site, Trustedidpremier.com – which, it has to be said, does look like a phishing website. The site is owned by Equifax, with the name based on its identity theft protection service, but the site did not refer to Equifax, which led to many consumers questioning whether the site was genuine.
These choices gave phishers a gilt-edged chance to take pounce. By creating a website similar to that used by Equifax, it would be possible to trick many U.S. consumers into handing over their sensitive information. For instance, instead of requesting the last six digits of the Social Security number, criminals could ask for the full SSN, along with a date of birth and a full name. If the fake website had official Equifax logos, many consumers would be duped.
If Equifax had put the information on a subdomain of its official website, it would be a simple task for consumers to verify that they were on the proper site. The decision to use a new website for this aim has made it too easy for hackers to take advantage.
There have already been many fake Equifax domains created and deployed for phishing purposes. While these sites are being identified quickly and shut down, during the time they are active they can be used to record large volumes of sensitive information. Some of the recently registered domains included transposed letters and common misspellings, such as replacing the y with a u to catch out careless typists.
However, it is not only bad typists that could be tricked by a scam like this. One fake site – securityequifax2017.com – was created that would likely fool many visitors. Such a site should also have been bought by Equifax to prevent it being purchased by a hacker.
Thankfully, the website had been purchased by a software developer called Nick Sweeting specifically to show how easy it would be to take advantage. It was made clear on the site that the website was not genuine, and was not actually being used for phishing, only to raise awareness of the risk of similar sites being bought by phishers.
However, so authentic was the site that it even tricked one Equifax worker. On at least eight occasions, that worker Tweeted the fake domain via the official Equifax Twitter account. The incorrect link was tweeted on at least 8 occasions according to Sweeney.
The spoof site has since been shut down; however, for two weeks the site was online. Had this been a real Equifax phishing website, many consumers could have been spoofed.