Fake website fools Equifax staff By Chris Fox

Technology reporter Published duration 21 September 2017

image copyright EPA

Credit rating firm Equifax has apologised after it mistakenly directed some customers to an imposter website via its Twitter page.

The firm recently disclosed a data breach affecting more than 143 million people, and set up a new website to share information with customers.

But it mistakenly tweeted the wrong web address several times, leading some customers to a fake website.

One security researcher told the BBC it was a "massive faux-pas".

image caption The fake Equifax website looked just like the real thing, but was critical of the company

Following its data breach, Equifax set up a new website - equifaxsecurity2017.com - to let people find out more information.

The website also let people register for a credit monitoring service, by entering personal details into a form.

Many security researchers said Equifax should have hosted this information on its main website - equifax.com - rather than setting up a new one.

They pointed out that the new web address looked like one a scammer might set up to try to fool victims.

Security researcher Nick Sweeting tweeted: "Yeah... no thanks... it would take me literally 20 mins to build a clone of this site."

He then did exactly that, creating an almost identical version of the website at securityequifax2017.com.

His fake version of the website also let people fill in their personal information - but then told them they had been "bamboozled".

Staff operating the Equifax twitter feed shared the fake website with customers several times.

image copyright Twitter.com/Equifax image caption The incorrect tweets have since been deleted

In a statement, Equifax said: "All posts using the wrong link have been taken down. We apologise for the confusion.

"Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is equifaxsecurity2017.com and our US company homepage is equifax.com."

Faux-pas

"Clearly, the social media team has not been thoroughly briefed," said Ken Munro from the security firm Pen Test Partners.

"That's a massive faux-pas, they should not be pointing people to a website that is not the real one.

"They are lucky the person behind it was a well-intentioned security researcher, it could easily have been somebody harvesting credentials."

Criminals often use a widely-publicised data breach to try and fool victims into handing over more of their personal data.

"People have to be careful after a data breach. Hackers often email victims trying to spoof the affected organisations," said Mr Munro.

"You might get phone calls from people pretending to be from the support team. We see this all the time - be on your guard."