Former CEO of Equifax Richard Smith testifies during a hearing before Senate Commerce, Science and Transportation Committee November 8, 2017 on Capitol Hill in Washington, DC. (Photo by Alex Wong/Getty Images)
Late last month, Equifax secured control over 138 domains mimicking a website that the company launched in September in the wake of its massive data breach.
Subject to a cybersquatting complaint, the domains were originally purchased through GoDaddy by a Hong Kong company called China Capital Investment Limited. Even now, the domains redirect to placeholder pages full of ads labeled “Identity Theft Protection” and “Protect My Credit” that link to commercial products such as Lifelock.
This summer, after learning that criminal hackers had pilfered the personal and financial data of roughly 145 million Americans, Equifax slowly began the process of exposing its customers to even further harm, included by redirecting victims to a malware-laden website.
But the complaint against China Capital Investment Limited shows that Equifax was aware that its decision to direct victims to a domain—equifaxsecurity2017.com—independent of its existing Equifax.com website likely subjected the consumers to new threats.
The credit reporting agency launched the website solely to manage the fallout stemming from the breach, which was born of faulty security practices. The decision drew immediate concern from the infosec community, with many researchers noting—correctly—how easily it would be for almost anyone to clone the site using a lookalike domain.
And it turns out, that happened immediately. According to a complaint Equifax filed on September 27th with the World Intellectual Property Organization (WIPO), China Capital Investment began purchasing lookalike domains within 24 hours of Equifax announcing the breach.
Below is small sample of the contested domains.
It’s easy to see how consumers might’ve been duped—thanks largely to Equifax’s decision not to place advice to breach victims on its own website. Many of the domains contain simple typos and are clearly aimed at taking advantage of consumers.
According to the WIPO, China Capital Investment never challenged the complaint. It wasn’t the only entity to purchase an Equifax-lookalike domain, either.
For instance, to draw attention to Equifax’s folly, developer Nick Sweeting secured the domain “securityequifax2017.com” and launched a website mocking the credit reporting agency. “It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” Sweeting told Gizmodo in September.
In a now-deleted tweet, the official Equifax Twitter account even directed consumers to Sweening’s site, which contained in a the phrase: “Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” Sweeting said Tuesday that he has retained control over the domain, but that the site is now blacklisted by the Google Safe Browsing list. “It’s pretty useless right now,” he said.
In September, when Equifax first noticed that dozens of websites had been launched targeting its customers, it should’ve backtracked and directed breach victims to a reputable website, like Equifax.com. But for whatever reason the company repeatedly ignored warnings about its decision to launch equifaxsecurity2017.com.
Ultimately, that decision may have exposed US consumers to scams and phishing attacks, further imperiling their personal and financial data.
Gizmodo reached out to Equifax for comment about the domains, but did not receive a response.