Slyck.com
 
Slyck Chatbox - And More

Equifax sends breach victims to fake notification site

What's happening in the technology world! Please submit stories for this forum here.
Forum rules
PLEASE READ BEFORE POSTING: Slyck Forum Rules

Equifax sends breach victims to fake notification site

Postby MrFredPFL » Wed Sep 20, 2017 8:53 pm

Story : https://arstechnica.com/information-technology/2017/09/equifax-directs-breach-vi





The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company's security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: "Hi! For more information about the product and enrollment, please visit: securityequifax2017.com." The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

Identity thieves and hackers often rely on this kind of confusion to trick people into divulging passwords or installing malware. By using domains that are similar to the domains of a bank or Web service and copying the overall look and feel of the site, attackers can often fool people into thinking they're visiting a site they know and trust, rather than a malicious one set up for purposes of fraud.

In the hours following the Equifax breach disclosure two weeks ago, Ars criticized the company-designated site for a host of reasons. The reasons included: (1) a stock installation of WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number; (2) a TLS certificate that didn't perform proper revocation checks; and (3) a domain name that looked like precisely the kind of thing a criminal operation might use to steal people's details.





:facepalm:

User avatar
MrFredPFL
I am Spartacus
 
Posts: 14885
Joined: Wed Aug 17, 2005 4:48 pm

Return to Tech/Internet/Other News

Who is online

Users browsing this forum: No registered users and 5 guests

cron
© 2001-2008 Slyck.com