Monday, October 02, 2017

Equifax... Spoof Site

Equifax, the  firm beleaguered by a record hack which compromised millions of sensitive, personal
details (multi-nationally) has made yet another world-class slip-up.

Wrong URL Tweeted
Further to the recent revelations that over 143 million people had been compromised (potentially 44 million+ in the UK alone), it appears  that their staff mistakenly tweeted an incorrect web address, causing people to be sent to a false website which could have had disastrous consequences.

In the wake of the controversy about the company keeping quiet for weeks before the issue was made public (compounded by key-executive shareholders selling their shares before the news went out), this momentous gaffe has only added fuel to the flames. The share price dropped from 142.72 points on Thursday 7th September when the announcement was made, to 92.98 on Friday the following week.

A separate website, namely a micro-site with address equifaxsecurity2017.com was hastily constructed after the hack, with the purpose of allowing people to find out more information about this specific incident. Additionally, visitors are supposed to be able to find out if they were part of the original hack, which required that they entered their private details to be checked.

Beware Online Forms
As well as pertinent information about the breach, the micro-site also contains an enrolment form, which naturally requires visitors to enter private information.

The domain name in question, equifaxsecurity2017.com,   is separate from the main domain of equifax.com and therefore people are either naturally skeptical of it or - more worryingly - don't know that this could easily be a spoofed website which is what one software engineer created, within minutes.

"Yeah... no thanks... it would take me literally 20 mins to build a clone of this site." tweeted Nick Sweeting ... and then he went on to do exactly that. He setup the similar-sounding website securityequifax2017.com very quickly and then made people aware of it via Twitter.

"Bamboozled"
In this instance, the site simply told visitors who had completed the spoofed form that they'd been "bamboozled", just to highlight the issue. Nick Sweeting was not out to maliciously attack anyone, merely point out the flaws.
The problem started when Equifax staff themselves mistakenly shared the wrong website (i.e. the spoof site) on their Twitter feed, causing chaos which lasted over a week.
Security commentators have been less than complimentary about the debacle, although Equifax have now stated they've removed all the incorrect URL's from their feed.

How Does This Affect Your Business?
This story shows the importance of ensuring you declare any known data-breaches at the earliest opportunity (which you are legally obliged to do) and then handling the inevitable fall-out as quickly and professionally as possible to limit the damage.

It can be difficult to spot a fake website, so here's a few things you can look out for :
  • The URL : In this instance, a sub-domain would have been a more secure and logical choice of website address e.g. securitynotice.equifax.com rather than having a completely separate domain name, which is trivial to register.
  • Look out for "schoolboy errors" in the page structure and text e.g. spelling mistakes and poor syntax.
  • Check who owns the domain with a site such as Whois.com
  • See whether the site has an up to date security certificate (look for a padlock icon. Your browser should warn you if it's out of date) .The url should start with https://
  • Google any phone numbers on the web page and ensure they're not reported as false. Call them!
  • Enter the company name into Google and the proper URL *should* be returned.
  • Enter the website under suspicion into Google and look out for any obvious issues.
  • You could consider a browser plug in such as Google Chrome's WOT (Web of Trust) which reports back on a URL's reputation.

No comments: