REAL WORLD EVENT DISCUSSIONS

"Equifax Accidentally Directs 200,000 Customers To Fake Phishing Website". OMFG, how is this even possible ??

POSTED BY: SIGNYM
UPDATED: Thursday, September 28, 2017 13:22
SHORT URL:
VIEWED: 590
PAGE 1 of 1

Thursday, September 21, 2017 1:08 PM

SIGNYM

I believe in solving problems, not sharing them.


Quote:

Equifax Accidentally Directs 200,000 Customers To Fake Phishing Website

And the hits just keep coming for Equifax, the once-trusted credit-monitoring firm that has been embroiled in one of the biggest corporate public-relations disasters in recent memory since disclosing that hackers had penetrated its cyber security defenses and absconded with sensitive personal and financial data belonging to 143 million Americans. Because of the types of data that were stolen, including drivers' license, social security and credit-card numbers, experts have described the hack as possibly the most damaging corporate hack yet.

As if this weren’t enough to permanently sully the firm’s reputation (amid cries of “you had one job!”) – the staggering irony of a credit monitoring firm inadvertently divulging the sensitive information that it was supposed to safeguard hasn’t been lost on consumers) a series of subsequent disclosures have portrayed the firm’s executives as bungling, at best, and nefarious, at worst.

In the nearly two weeks since the story broke…

Quote:

It was revealed that three of the firm’s executives, including its CFO, cashed out of stocks and options worth some $2 million in the month between when the company first learned about the hack, and when it was disclosed to the public. A federal prosecutor in Atlanta has opened a criminal investigation into Equifax that will focus both on whether the firm was criminally negligent in failing to patch a hole in its cybersecurity systems, as well as whether the suspect stock sales constitute securities fraud.

The company’s head of cyber security was revealed to have no background in computer science or security – a fact the company tried to hastily cover up by scrubbing her social-media profiles. Susan Mauldin, Equifax’s chief information security officer, has a bachelor’s degree in music composition and a master’s in fine arts from the University of Georgia.

Several Congressional committees have asked the company to turn over information relating to the hack as multiple investigations appear to be getting under way. The attorneys general of a handful of states, including Massachusetts and Rhode Island, have joined a probe into the company’s handling of the breach.

The company has been hit with dozens of lawsuits from consumers alleging fraud, abuse and negligence.

Equifax CEO Rick Smith has been called to testify before a special House panel early next month.


And that's just for starters

Quote:

When Equifax first set up a website to allow consumers to check whether their information was compromised, it carried a waiver stating that by using the service consumers would forfeit the right to sue Equifax. The internet quickly exploded in outrage, and the company quickly clarified that the waiver didn’t apply to this hacking incident, which…sure.

Now, The Verge, The New York Times and a handful of other media outlets are reporting that Equifax accidentally tweeted the link to an imposter website set up by a white-hat hacker hoping to expose glaring errors that the firm had made in setting up its verification website. This happened not once, but three times. And in at least one instance, the tweet with the phony link was left up for a whole day.

Again, OMFG, how is this even possible???

I mean, they had a whole month between when they found out about the breach and when they notified the public. A whole month to scope out some sort of damage mitigation, run thru several scenarios, test-drive and troubleshoot their internet presence. I mean, what were they doing? Oh, that's right ... they were selling their stocks.

Quote:

Here’s The Verge:

Quote:

“Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.”


Luckily for consumers, the fake site wasn’t malicious. Instead, it was set up by developer Nick Sweeting to try and expose the glaring security vulnerabilities that the company had embedded in its recovery website, which it set up as a separate domain, rather than making it a subdomain of Equifax’s main website.

Quote:

“Luckily, the alternate URL Equifax sent the victim to isn’t malicious. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax's response page. “I made the site because Equifax made a huge mistake by using a domain that doesn't have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”


Sweeting says no data will leave his page and that he "removed any risk of leaking data via network requests by redirecting them back to the user's own computer," so hopefully data entered on his site is relatively safe. Still, Equifax's team linked out to his page. That isn't reassuring.”

Quote:

Not only did they tweet the wrong link, they tweeted it 3 times. #Equihax pic.twitter.com/T8jrhSfhqw — Nick Sweeting ???? (@thesquashSH) September 20, 2017


Prior to Equifax customer service sharing the imposter site, Sweeting says he emailed the company’s support team and tweeted to Equifax that he spotted a potential vulnerability. By the time the site was taken down, Sweeting says it had received more than 200,000 hits. In the spirit of transparency, Sweeting included a disclaimer on his site warning consumers that it was a fake – and blasting Equifax for its sloppy security practices.

According to the NYT, phishers cannot create a page on the equifax.com domain, so if the website were hosted there instead, it would be easy for users to tell that the page was legitimate.

Quote:

“Fortunately for the people who clicked, Mr. Sweeting’s website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: “To enroll in complimentary identity theft protection and credit file monitoring, click here.” But a headline in large text differed: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”


The legitimate Equifax domain was securityequifax2017.com. Sweeting’s was equifaxsecurity2017.com. And as one cybersecurity expert told the NYT, even the legitimate website looks fake because it’s not a subdomain of the larger Equifax site.

Quote:

“You would think that would be the obvious place to start,” said Rahul Telang, a professor of information systems at Carnegie Mellon University. “Create a subdomain so that if somebody tries to fake it, it becomes immediately obvious.”


The company’s actions, Telang told the NYT, suggest that it had never anticipated or planned for a breach.

This has become clear in the last few weeks. Now, the only thing left to be decided is whether the fact that the company was almost comically unprepared for a hack rises to the level of criminal negligence.


http://www.zerohedge.com/news/2017-09-21/equifax-accidentally-directs-
200000-customers-fake-phishing-website

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 21, 2017 1:11 PM

SIGNYM

I believe in solving problems, not sharing them.


Original notification here

http://www.fireflyfans.net/mthread.aspx?tid=61906

-----------
Pity would be no more,
If we did not MAKE men poor - William Blake

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 21, 2017 1:14 PM

6STRINGJOKER


LOL. You can't even make this shit up.

I don't even know what to say. Nothing under the sun even surprises me anymore.


Kudos to Nick Sweeting for the troll.

Hopefully they don't try to ruin his life, assuming that his intentions were only what he stated they were. That took a lot of balls.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 21, 2017 4:42 PM

JEWELSTAITEFAN


Maybe they hired a Music Composition graduate as their new cybersecurity guru.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 21, 2017 9:48 PM

6STRINGJOKER


Yeah. Their minor was in Gender Studies.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Friday, September 22, 2017 1:32 AM

1KIKI

Goodbye, kind world (George Monbiot) - In common with all those generations which have contemplated catastrophe, we appear to be incapable of understanding what confronts us.


Equifax has a 'get out of jail free' card - Russia done dood it.




Trump is not the problem. He set himself against the Deep State's agenda. And the Deep State's been heading for WWIII for years.
As for you, you're just a Deep State useful idiot, furthering its agenda. So I hope you enjoy cesium in your coffee. You've earned it.

NOTIFY: N   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Friday, September 22, 2017 8:09 PM

JEWELSTAITEFAN


Quote:

Originally posted by 1kiki:
Equifax has a 'get out of jail free' card - Russia done dood it.

Wait - Trump owns Equifax now?

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Friday, September 22, 2017 10:20 PM

SIGNYM

I believe in solving problems, not sharing them.


HAHAHAHA!!!

-----------
Pity would be no more,
If we did not MAKE men poor - William Blake

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Wednesday, September 27, 2017 9:48 PM

SIGNYM

I believe in solving problems, not sharing them.


Well, this is what you get for fucking up bigtime ...

Quote:

Equifax CEO's Parting Gift: An $18 Million Bonus

http://www.zerohedge.com/news/2017-09-26/equifax-ceos-parting-gift-18-
million-bonus


Clearly, there is NOTHING like a meritocracy going on!

-----------
Pity would be no more,
If we did not MAKE men poor - William Blake

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Wednesday, September 27, 2017 11:56 PM

6STRINGJOKER


These fucks.

Big surprise there Sigs. I'll keep what I hope happens to him or her to myself, lest it actually happen and I end up having to go through something like your Anthrax thing.


I'll just say that I could live to be 1,000 years old and not spend that much money in my life. (Adjusted for inflation, of course).

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 28, 2017 9:41 AM

BYTEMITE


Equifax is a joke.

But this explains why tech analysts were finding that the website Equifax referred people to was actually spitting out garbage answers on whether people's identity was stolen. They found that putting in the same information multiple times would get a completely different response, and that obviously fake information would also get a response.

So, great. My trust in the American financial system has never been stronger. -_-

As someone who was actually damaged by Equifax to the tune of someone stealing my credit card info and 1,200 dollars of fraudulent charges, I've been seriously considering joining the class action lawsuit.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 28, 2017 11:31 AM

6STRINGJOKER


READ THE FINE PRINT FIRST, BYTE!!!

Ahem.... sorry for yelling.

Take that well intentioned and deserved mistrust and apply it going forward. Who knows? Maybe you'd be joining a class-action lawsuit set up by an affiliate of Equifax that would amount to pennies in the end but you end up selling your soul in return when you sign it.


NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 28, 2017 12:27 PM

BYTEMITE


Technically the article Sig posted was slightly incorrect on this point, the waiver doesn't apply to the website where you could check about the theft, it applied to signing up for equifax's credit monitoring program - as if ANYONE WOULD after this.

But when people got pissed, Equifax also waived the waiver, sorta like they eventually waived the ten dollar fee to freeze your credit.

Which at this point, probably everyone actually should do, since who the hell knows who was affected anymore at this point? Except me, I know I was affected because of the damn bill I got.

Quote:

Maybe you'd be joining a class-action lawsuit set up by an affiliate of Equifax that would amount to pennies in the end but you end up selling your soul in return when you sign it.


That's not really how lawsuits work. That's a conflict of interest, and generally shows up in discovery. Any law firm pulling shenanigans like that would be subject to disbarment. Lawyers look out for themselves first, no one with the reputation to work for equifax is going to risk their career by doing something that ridiculously high profile and potentially felonious.


NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Thursday, September 28, 2017 1:22 PM

6STRINGJOKER


Well that's assuming that you're actually signing up for a legitimate law suit. Seems to me like they've proven that you could sign up for anything anywhere if you're not careful.

My mom thought she had Microsoft Customer Support as a resource she was paying for, for their business, until I did some digging and told her to cancel it immediately because it was a scam run from a "legitimate" company in India that pretended that it had Microsoft employees.

My brother just bought a 2TB thumb drive off of Amazon for 42 bucks. It actually took me 10 minutes of talking with him on the phone to convince him that he was scammed. The drives actually come out of the factory in China, programmed to be read on PCs and Macs as being 2TB when they have much less storage than that. There's only one legitimate 2TB thumb drive out there now that Kingston makes and it lists at over 2,200 bucks. He's blaming Amazon and can't believe that they would allow sellers to do that. I told him that he needs to do his research first.

All I'm saying is that you should never sign something unless you read it.



And, BTW, as I mentioned above, the breech effects every single person in America that has a credit history. The 143 million people thing is just a clever way of saying that it's everybody without actually saying it.

They subconsciously put the idea in your mind that it was less than half of the people that were effected this way, so if you don't think about it too much you're put at ease since there are greater odds that it didn't happen to you than it did.

Once you remove everyone under 18, people who have never had any accounts and cash their checks at the local currency exchange and illegals, all you got left are about 143 million people.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

YOUR OPTIONS

NEW POSTS TODAY

USERPOST DATE

OTHER TOPICS

DISCUSSIONS
Game Companies are Morons.
Fri, December 15, 2017 20:39 - 72 posts
Dow @ 20K. Time to jump off!
Fri, December 15, 2017 15:08 - 128 posts
Fareed: Trump BS
Fri, December 15, 2017 14:52 - 12 posts
God bless Alabama
Fri, December 15, 2017 13:21 - 40 posts
A thread for Democrats Only
Fri, December 15, 2017 12:56 - 240 posts
"Why I'm Opposed to Title II Net Neutrality"
Fri, December 15, 2017 07:41 - 12 posts
Scumbags and Broomsticks 2017-2018 Awards
Fri, December 15, 2017 04:15 - 6 posts
Male Role Models
Thu, December 14, 2017 23:54 - 130 posts
this is what a starving polar bear looks like
Thu, December 14, 2017 23:35 - 7 posts
Countdown Clock to Trumps impeachment " STARTS"
Thu, December 14, 2017 23:09 - 749 posts
Evidence the Syrian government sponsors IS
Thu, December 14, 2017 18:51 - 14 posts
Putin Orders Withdrawal Of Russian Troops During Surprise Syria Visit
Thu, December 14, 2017 18:49 - 6 posts

FFF.NET SOCIAL