Equifax support team sent victims of breach to fake site

Show Caption Hide Caption How the Equifax breach went from bad to worse Equifax’s massive security breach impacted as many as 143 million people.

Equifax cannot seem to get it right.

The credit bureau had been sending victims of a massive data breach to a bogus website that shared a similar address to the one it set up to help victims, it admitted Thursday.

After Equifax revealed its computer systems were breached and personal data for 143 million Americans was exposed, the company set up a website — equifaxsecurity2017.com — that helped consumers check whether their data was part of the breach.

Directing consumers to that site — as opposed to a page on its standard equifax.com — raised red flags, because it increased the chances that consumers hunting for, or being lured to, to the safe breach site would be misdirected to a malicious site with a similar address. To prove that point, developer Nick Sweeting created the site securityequifax2017.com, a simple inversion of the two first words. And then, Equifax's own support team directed customers to that URL over Twitter, reported The Verge.

"It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info," Sweeting told the tech publication.

Not only that, but the equifaxsecurity2017 site then sent visitors to a totally different URL to see if they were potentially affected by the breach. That URL, trustedidpremier.com, was real but confused and concerned many because it was an outside address.

Consumers are particularly vulnerable to identify and information theft after news of a big data breach. Criminals use that opportunity to sending phishing emails and other electronic overtures, masked as legitimate aid, to steal information.

Not only did they tweet the wrong link, they tweeted it 3 times. #Equihax pic.twitter.com/T8jrhSfhqw — Nick Sweeting 🚲 (@thesquashSH) September 20, 2017

In a statement to USA TODAY, Equifax said all tweets with the incorrect website link have been removed, and it apologized to customers. "Consumers should be aware of fake websites purporting to be operated by Equifax," it said.

Equifax's legitimate site has been marred with issues from the beginning, with users complaining the site failed to confirm whether they were harmed by the breach. The site's request for six digits of their social security number also raised security questions and was taken by some web browsers as a possible phishing scam.

A day after the breach and launch of the legitimate help website, scammers had created 194 phishing websites that shared similar addresses with equifaxsecurity2017.com

More: Equifax’s post-hack website looked like a phishing threat to some browsers

More: Equifax data breach: I tried to freeze my credit. There were problems.

More: Equifax data breach: How to freeze your credit

Follow Brett Molina on Twitter: @brettmolina23.