Things just keep getting worse for Equifax. Since the news of a data breach that may affect half the US population broke earlier this month, the company has come under fire for its handling of the incident at almost every turn. From waiting six weeks to disclose the breach, to company executives selling shares of their Equifax stock, to their self-serving credit monitoring offer intermittently functional immediately following the announcement!), it’s been one misstep after another from the moment the story broke.

Now there’s a new one to add to the list: for weeks, Equifax’s official Twitter account has been directing people to a fake version of the informational website that the company set up in response to the breach. In at least 8 tweets beginning as far back as September 9th, the company instructed people to visit securityequifax2017.com (a cloned version of the site) instead of equifaxsecurity2017.com (the legitimate site).

Thankfully, the imposter page wasn’t malicious
Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s response page. I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. It makes it ridiculously easy for scammers to come in and build clones they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,” so hopefully data entered on his site is relatively safe. 

It’s an easy mistake to make, to be sure — the URLs are very similar, and the appearance of the copycat page was essentially a mirror image of the real one — and that’s exactly the point. In the immediate aftermath of one of the biggest cyber incidents in history, when security is more relevant and top-of-mind than it’s likely ever been at Equifax, even their own employees were fooled by a well-executed phishing page — at least eight times.

That it took weeks for the mistake to be noticed and corrected (Equifax has since deleted the tweets and apologized for the error) only underscores the fact that these days, it’s easier than ever for bad actors to set up convincing phishing schemes. By simply purchasing a domain and copying the UI of a legitimate website, attackers can effectively bypass an organization’s investment in employee security awareness training in just a few minutes, and for just a few dollars.

In this case, the phishing site was harmless — but in many other circumstances, cybercriminals use the same impersonation tactics to successfully trick users and compromise organizations (see the Google Docs and DocuSign attacks in May of this year, for example). Attackers are always looking for an edge, and the prominence of social engineering techniques and spear phishing attacks proves that when the rewards are large enough, criminals are willing to invest time into research and development of non-technological threats that will simply bypass yesterday’s security infrastructure.

The lesson we should take away from this is that it’s impossible to mitigate risk solely via human intervention, no matter how much you try to train your end users. A true defense-in-depth strategy for protecting against targeted phishing attacks requires unified visibility and control, coupled with risk-appropriate automation, across an organization’s entire communications infrastructure.

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information.