Equifax sends breach victims to fake notification site
The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company's security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.
In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: "Hi! For more information about the product and enrollment, please visit: securityequifax2017.com." The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.
Identity thieves and hackers often rely on this kind of confusion to trick people into divulging passwords or installing malware. By using domains that are similar to the domains of a bank or Web service and copying the overall look and feel of the site, attackers can often fool people into thinking they're visiting a site they know and trust, rather than a malicious one set up for purposes of fraud.