Equifax’s website about its breach of customer information, left, and a fake version, right, that a software engineer created to draw attention to the company’s lax cybersecurity.
People create fake versions of big companies’ websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.
Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax’s page about the security breach that may have exposed 143 million Americans’ personal information. Several posts from the company’s Twitter account directed consumers to Mr. Sweeting’s version, securityequifax2017.com. They were deleted after the mistake was publicized.
By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting’s site, and he took it down. By that time, he said, it had received about 200,000 hits.
Fortunately for the people who clicked, Mr. Sweeting’s website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: “To enroll in complimentary identity theft protection and credit file monitoring, click here.” But a headline in large text differed: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”
It would be just as easy for phishers to create their own versions of the Equifax page, and that would be bad news for anyone entering the information required to enroll in identity theft protection: their surname and the last six digits of their Social Security number. (In Mr. Sweeting’s version, the form was disabled so that no information was saved.)
“Their site is dangerously easy to impersonate,” Mr. Sweeting said in an email, noting that he had created the site solely to draw attention to the weakness of Equifax’s security. “It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.”
“It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” he added. “I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”
In a short statement on Wednesday, Equifax said all posts containing the wrong link had been deleted.
“We apologize for the confusion,” the statement said. “Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”
What you need to know to start your day, delivered to your inbox Monday through Friday.
You agree to receive occasional updates and special offers for The New York Times's products and services.
An Equifax spokeswoman, Marisa Salcines, did not respond when asked why the company had created a separate website rather than a subdomain of equifax.com.
That, cybersecurity experts said, was the key mistake. Phishers cannot create a page on the equifax.com domain, so if the website were hosted there instead, it would be easy for users to tell that the page was legitimate.
“You would think that would be the obvious place to start,” said Rahul Telang, a professor of information systems at Carnegie Mellon University. “Create a subdomain so that if somebody tries to fake it, it becomes immediately obvious.”
“Equifaxsecurity2017.com,” on the other hand, looks so unofficial that Mr. Telang said even he had been unsure at first whether it was safe to enter his information.
Mr. Sweeting explained in his email that a Linux command, “wget,” allows anyone to download the contents of a website, “including all images, HTML, CSS, etc.”
“It was super easy to just suck their whole site down with wget and throw it on a $5 server,” he wrote. “It currently has the same type of SSL certificate as the real version, so from a trust perspective, there’s no way for users to authenticate the real one vs. my server.”
Mr. Telang said Equifax’s actions suggested that the company had never anticipated or planned for a data breach.
“If you don’t have a plan in place, you will find different ways to screw it up,” he said. “Equifax is just a perfect example of that.”
All of the incorrect tweets ended with “-Tim,” indicating the name of the Equifax employee who wrote them. The Equifax spokeswoman did not say whether any disciplinary action had been taken, and Mr. Sweeting said he hoped the employee had not been fired.
“They probably just Googled for the URL and ended up finding the fake one instead,” he said. “The real blame lies with the people who originally decided to set the site up badly.”