I’m surprised they remember how to breathe.
Fake websites aren’t a new thing. But ones that are made to highlight how negligent a company is being is an odd wrinkle to say the least. Especially since, in this case, that company is Equifax.
Software Engineer Nick Sweeting created a fake version on Equifax’s site, merely swapping two words for the URL: securityequifax2017.com. In his benevolence, he used the page as a self-demonstrating article, showing off how easy it was to spoof the page and explaining how such a thing could be used for phishing. Sadly, he took the page offline after he made his point, but I think people got the message loud and clear:
Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?
Equifax should have hosted this on equifax.com with a reputable [EV] SSL Certificate
Instead, they chose an easily impersonated domain and used a jelly-bean SSL cert that any script kiddie can impersonate in 20 min.
Their response to this incident leaves millions vulnerable to phishing attacks on copycat sites.
This is why you don’t put your security incident website on a domain that looks like a scam (with an Amazon SSL cert).
But it gets better. Equifax shared the site several times on their twitter account, not realizing it wasn’t theirs!
Not only did they tweet the wrong link, they tweeted it 3 times. #Equihax pic.twitter.com/T8jrhSfhqw
— Nick Sweeting (@thesquashSH) September 20, 2017
Equifax just keeps screwing the pooch. So remind me: why did anyone trust these assholes to begin with?