Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses Privacy The Almighty Buck

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com) 154

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.
This discussion has been archived. No new comments can be posted.

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks

Comments Filter:
  • by H3lldr0p ( 40304 ) on Wednesday September 20, 2017 @03:09PM (#55233759) Homepage

    Because it's incredible how stupid this whole thing has been.

    How can anyone be this bad at their core business?

    • Re: (Score:3, Insightful)

      Because it's incredible how stupid this whole thing has been.

      How can anyone be this bad at their core business?

      the "free market" at work: screwing over ordinary people because who's going to stop them?

      • by burtosis ( 1124179 ) on Wednesday September 20, 2017 @03:17PM (#55233807)
        Hahahaha, good one - free market. We don't need those stupid consumer protections ^H^H^H^H^H^H^H^H^H^H^H^H^H^H overreaching regulations.
        • by zifn4b ( 1040588 )

          Hahahaha, good one - free market. We don't need those stupid consumer protections ^H^H^H^H^H^H^H^H^H^H^H^H^H^H overreaching regulations.

          Ok, a person made an admin password "admin". That's STUPID! Do you know of a government regulation that can fix stupid? If you do, I guarantee you will win a Nobel Peace Prize.

          • by rossz ( 67331 )

            Yes. Make the fines fucking huge when incompetence results in leaked private information. The fine needs to so big that the shareholders will revolt if the company has to pay it. That's the only way you can get management to throw some money at the IT department and security. A business will either invest in their security or shut down.

            • Security can 'fall off the radar' for your average idiot CEO - they're sure security incidents only happen to other people.

              I think you have to have an independent team of security specialists perform a serious security audit at least every 6 months would go a long way.

              Perhaps even require the tiger team to report directly to shareholders. That would force the company to own the specifics of their security concerns.

          • by Bert64 ( 520050 )

            Some governments and industries require that sites be pentested prior to going live, even the most incompetent of pentesters would catch admin/admin.

          • Simple, just pass a law making computers illegal.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Because a government enabled credit-reporting oligopoly is totally the same thing as a free market! Get the government to run it like healthcare and the postal service, that'll fix everything!

        • by Anonymous Coward

          Ah, the elusive ideal free market. It must exist just across the way from ideal communism.

        • Govt doesnâ(TM)t run healthcare in the US and the postal service actually does a good job of delivering mail.
          • Comment removed based on user account deletion
            • by liquid_schwartz ( 530085 ) on Wednesday September 20, 2017 @05:48PM (#55234843)

              When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US - approx 120,000,000 people, and it's going up every day.

              To be fair the government isn't even trying to run health care efficiently. If it was Canada with a market 1/10th the size of the US, wouldn't be getting lower drug pricing. The states would be able to band together for greater purchasing power (or insurers across state lines for that matter). You could lower the cost of government medicine by >25% in an afternoon by merely dropping barriers that have been artificially put in place to keep well connected drug companies flush with cash. The Feds have clearly chosen the side they favor with health care policy - and it's drug companies not consumers, patients, or taxpayers.

            • by ShanghaiBill ( 739463 ) on Wednesday September 20, 2017 @06:00PM (#55234903)

              When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US

              The US government spends about $6000 per capita on healthcare. Sweden's government spends about $4000 per capita. So America's health care is actually more socialist than Sweden's by total expenditure, although slightly less (60% vs 75%) as a percentage.

      • Hiring competent people would eat away at profits!

      • by dnaumov ( 453672 )

        Because it's incredible how stupid this whole thing has been.

        How can anyone be this bad at their core business?

        the "free market" at work: screwing over ordinary people because who's going to stop them?

        You misspelled "government protected racket".

      • by zifn4b ( 1040588 )

        the "free market" at work: screwing over ordinary people because who's going to stop them?

        The "free market" is not inherent stupid or intelligent. Making an administrator password "admin" is stupid. It was a human error by someone who is obviously a moron.

      • by rcase5 ( 3781471 )

        I'm all for free markets. But every time I try to walk out of the market without paying for my stuff, they get very upset.

    • by cayenne8 ( 626475 ) on Wednesday September 20, 2017 @03:13PM (#55233783) Homepage Journal
      I would think at this point, the shareholders could unite, and vote to sweep the entire company clean....and start over.
      • by Pascoea ( 968200 ) on Wednesday September 20, 2017 @03:22PM (#55233839)

        vote to sweep the entire company clean....and start over.

        Won't happen. There is no way they can afford that many multi-million dollar golden parachutes at the same time. And you're not going to see a single executive actually punished over this.

        • by emil ( 695 )
          A more likely scenario is civil damages exceeding the value of the corporation, followed by chapter 7 bankruptcy.
          • Re: (Score:2, Funny)

            by Anonymous Coward

            Do you think they'd then be required to sell their database info to the highest bidder to recoup loses?

          • by Anonymous Coward

            Pfffft, they're too big to fail (or too much money over government influence).

            They'll get a couple lashes from a whip to set an example and lose some revenue but they'll continue on. Consumers are their main product, not their customer.

            Businesses and banks will continue using them as if nothing happened. Years or decades later, information from this breach will be used by independent groups worldwide for identity theft related purchases. They may even drum up some new business for their consumer directed cr

            • I'm buying some Equifax stock right now while it drops, they'll ultimately grow back...

              Honestly, I've been thinklng the same....trying to see if it bottoms out and buy stock....but every time I think it is slowing down, they do something fscking stupid AGAIN.....and the bottom keeps dropping.

      • by rholtzjr ( 928771 ) on Wednesday September 20, 2017 @06:14PM (#55234961) Journal
        I think a lawyer [reuters.com] said it is pretty much over for Equifax. 20 billion in damages. Yikes!

        Yea, so when your IT folks raise concerns about security..... DON'T IGNORE THEM!

    • My thought exactly.

    • by phantomfive ( 622387 ) on Wednesday September 20, 2017 @03:16PM (#55233799) Journal

      How can anyone be this bad at their core business?

      Their core business is, literally, collecting and sharing information. They shared it with a few too many people in this case, but hey, can you blame an over-achiever?

    • by king neckbeard ( 1801738 ) on Wednesday September 20, 2017 @03:19PM (#55233817)

      How can anyone be this bad at their core business?

      Their core business is maintaining an oligopoly on an essential service, and they do that well. Keeping information safe is not part of their core business, and thus, they pay little attention to it.

    • by Revek ( 133289 )

      Generating a arbitrary number that affects their cattles ability to get a loan? Thats their core business.

    • Their 'core business' is to divest the Human Race from their money, and they've done a bang-up job of that. All this 'cyber security' stuff is obviously not of interest to them -- unless it somehow inpinged upon their ability to suck money out of people, in which case I'm sure there were lashings of those dreadful unwashed IT people until situations were improved -- but the data of all us mere peasants? Why should they care about that?
    • Because it's incredible how stupid this whole thing has been.

      How can anyone be this bad at their core business?

      From Slap-On-The-Wrist fines for the Financial Industrial Complex, to the Too-Big-To-Fail bailouts for the US auto industry, tell me again how obscene incompetence and criminal behavior has been anything short of rewarded?

      THAT is how they can be this bad. Turns out it's actually worth it to put in a fucking half-assed effort.

    • by mishehu ( 712452 )
      Are you sure you know what their core business is? I thought it was collecting all possible data, whether factually correct or not, shaking the cup with the bones in it, collecting money from their clients (not us the consumers), and after getting the money, rolling the bones out of the cup and proclaiming "THE BONES HAVE SPOKEN!!!"
    • How can anyone be this bad at their core business?

      I'm a member of two class action suits against Equifax. The first, ongoing since 2008, is because they violated the Fair Debt Reporting Act. I was also affected by this data breach. A quick Googling reports that there are at least 23 class action suits for this latest incident alone. In the scummy consumer credit marketplace incompetence is de rigueur.

    • by Anonymous Coward

      Just more proof of how evil and restrictive government regulation is, everyone knows businesses can be trusted to police themselves. #MAGA!

    • 1.) Fire all the smart people because they cost so much.
      2.) Profit!

      3.) Company collapses under lawsuits, pressure from competitors, outright thievery...

    • It isn't their core business keeping your information safe. You are the product not the customer. They sell your credit rating to banks and lenders. Keeping your information safe makes them no money and is in general an inconvenience. Allowing you to see your credit score and point out mistakes in it is a major expense with very little up side. So really, as a for profit company, why would they waste anything more than the bare minimum of resources on it? They definitely won't devote any key or intel
    • You have to work really hard to be this incompetent. Doing nothing, nothing all all - just playing mine sweeper, has to be better than this.

    • Their core business is not protecting data, it's gathering data. Which they seem pretty good at. The fact that it's sensitive data and *should* be protected, seems to have escaped them.
    • They have been good at their core business. collecting and sharing financial data on millions of people. Nowhere in their charter does "security" or "trust" exist. We are the product they sell.... not security products.

      Just look at how they originally offered the free service to monitor accounts: first you had to sign up, they didn't automatically enroll you.. Second - you had to promise not to sue them (term since removed).

      They don't care about you, the product. They want high quality "data" and ta

  • by emil ( 695 ) on Wednesday September 20, 2017 @03:16PM (#55233801)

    SFWeekly is calling for all Equifax employees to be executed [sfweekly.com].

    In all seriousness, the Equifax credit freeze does not work very well, and their freeze needs to work over Experian and TransUnion (and Equifax should pay for it).

  • Additionally (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Wednesday September 20, 2017 @03:21PM (#55233831)

    It's worth pointing out that it's pretty stupid to use a link obfuscator (aka short URL service) in this situation... which this "Tim" person from Equifax also did - he used a link shortener to direct people to the fake website!

    (I'd argue link shorteners are evil in general, but that's a discussion for another day)

    • by Quirkz ( 1206400 )

      (I'd argue link shorteners are evil in general, but that's a discussion for another day)

      Yeah, it seems like obfuscation of links causes more problems than I'd like. But in a world where lots of common services have a character limit (not just Twitter--even Slashdot's signature function is severely limited), sometimes a shortener is a necessity.

    • (I'd argue link shorteners are evil in general, but that's a discussion for another day)

      Link shorteners in general aren't evil, but their no click, no confirmation implementation is. They should always direct to an intermediate page which shows clearly where the shortener is directing you and wait for confirmation to do so.

  • Wow (Score:4, Insightful)

    by JohnFen ( 1641097 ) on Wednesday September 20, 2017 @03:22PM (#55233837)

    The level of Equifax's ongoing idiocy is amazing. Almost impressive, even.

    The fact that they can't even get the most basic security things right strongly suggests that their core business activities are likely to be run with the same amount of incompetence.

  • by Anonymous Coward

    In music.

  • by sentiblue ( 3535839 ) on Wednesday September 20, 2017 @03:34PM (#55233925)
    So equifax.com sits in an IP block that is directly managed by Equifax itself. Whereas, equifaxsecurity2017.com is in a block owned by CloudFlare.

    This leads me to believe that the hackers didn't just get the website and the database. They got the entire network and that Equifax up until today is unsure if their network is safe yet. Equifax's decision to host the new website in CloudFlare is to make sure that they don't give additional information to hackers who are ALREADY in.
    • by Calydor ( 739835 )

      So after all these security fuckups, you think they're competent enough to get the idea that they have no idea whether their network is compromised?

    • So instead of giving my information to the hackers that have breached Equifax's network, I get to hand it over the the hackers that have breached CloudFlare's network. Better or worse?

      No network is secure.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      They could have easily created a subdomain under the official equifax.com domain but still made the IP under Cloudflare or whatever they wanted to do. They're just idiots.

    • > Equifax's decision to host the new website in CloudFlare is to make sure that they don't give additional information to hackers who are ALREADY in.

      What? Do you even know how CloudFlare works?

    • I went looking to see if my records were affected. Then followed the link to their special website -- and was mildly nervous over the name. I then realized how stupid the name was and was sure the spammers would start sending out fake look-a-like links.

      Apparently their naming scheme is to cover next year's planned leak of data.

      Of course when these reports began to come to light I immediately went and verified that I had been on a real site. There was no feedback - I submitted a task to them and was pres

  • by sinij ( 911942 ) on Wednesday September 20, 2017 @03:52PM (#55234043)
    The only reasonable solution here is to jail Nick Sweeting for fraud.
  • Same as slashdot advertising links like this one.

    Hey Guys! You might remember my post earlier where I whined about my husband failing to perform in bed and would rarely get me turned on at all? At first I was like: WTF, where do all those adult film stars get their stamina? — we've tried everything you can think of, from Viagra to other libido pills, nothing seemed to work. Bullshit! — his dick remained limp and sex didn’t last for more than a couple of minutes.

    After about 6 months I gave up. I decided it was in his age and part of his physical condition, and that there was nothing we could do about it. Also, I can’t say I wanted sex that bad myself, knowing that I wouldn't be satisfied, and he’d be upset. I felt my husband totally losing confidence in himself and it was frustrating.

    but then again slashcode advertising sucks dead horse balls! [insidedailyhealth.com]

    Clint Eastwood is not dead yet and neither is his dick! His last words will be "dying ain't much of a livin' boy" if there is any humor left in the world.

    On topic, the whole equifax situation in a way is similar and is proving to be complete and utter Wall Street bullshit IMHO and is in itself just a stock option clickbait scam. Just watch what happens when equifax goes on sale. I am almost willing

  • Dear Equifax Executive and Marketing/Communications Staff:

    You're all fired, for cause, effective immediately. Concordant with a for-cause firing, any and all severance benefits are rendered null and void. Surrender all company property, including cell phones and computers, to HR immediately. Please collect your personal effects; security will be instructed to escort you off company property no later than 18:00 EDT.

  • by Anonymous Coward

    It seems like we're reaching a point where we should just take every employee in anyway involved with the decisions that equifax has made in the last 5 years, and put them in jail for something like criminal negligence

  • LOL, has anyone read their "Contact Us" page on their site. I quote:

    Powering the World with Knowledge

    Yea, they sure did! They just gave all the personal information for pretty much all the working class Americans.

    Now that is a great motto for a company that actually adhered to their mission statement.

  • Perhaps they were trying to do their customers a favor for once, redirecting them to a site that's likely to be fare more secure than their own.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...