Problems with Equifax Breach Disclosure
"Insecurities in a security disclosure"
Looks like the observation in this blog has already become a reality. Phishing sites already up and running:
As I was going through the myriad of news articles and url's floating around, I ended up at this site equifaxsecurity2017.com. To my surprise I noticed that this site is NOT hosted in or by Equifax, instead it was hosted on a completely untrusted domain called "equifaxsecurity2017.com". Except the EQUIFAX logo, nothing on this site points to the authenticity of this site. Moreover this site redirects users to a 3rd party site that then asks UNAUTHENTICATED users to enter the last 6 digits of SSN and last name.
As an Equifax consumer, the least anyone expects is that they have the ability to trust that all communications come from the company domain and can be rest assured that they won't fall victim to more attacks.
Given that 143 million people are going to enter their SSN on this site, I'm certain that several PHISHING websites of the following variations are going to pop up over the next few days:
- equifaxsecurity2O17.com (note that I have replace "0" with an "O" in this)
- equifaxsecurity20I7.com (note that I have replaced "1" with an "I" in this)
- equifaxsecurtiy20I7.com etc etc etc....
A random website coming up overnight with no attribution to Equifax domain and collecting SSN and PII has opened up a huge opportunity for the attackers.
To make matters worse the domain registration of these sites have no tie back to Equifax. equifaxsecurity20I7.com is registered and hosted anonymously behind cloudflare. Moreover, this site further directs users to a different domain trustedidpremier.com
that is hosted on Amazon, registered with AWS, DV certs obtained from AWS and has absolutely no connection to Equifax anywhere.
Finally, as a last resort I checked the SSL certificates to ensure that at least these sites are legit before I enter my SSN. To my surprise, I found that all of these sites above use DV certs. Without going into technical details, DV certs are the easiest unverified certs to obtain and most lucrative for PHISHING campaigns and malicious actors as certificate authorities do not validate who is requesting a cert and why before granting one. Over 14,000 SSL Certificates were issued to PayPal phishing sites using this same methodology over the past few years.
What does this mean to Equifax and Consumers?
Over the next several days we will start seeing major phishing campaigns popping up that leverages this opportunity to spin up fake websites to collect SSN's and PII of trusting innocent Equifax customers. This will not only affect the 150M affected customers but also anyone else who tries to enter their SSN to check if they are affected. This could subject all the affected markets into phishing campaign frenzy, including but not limited to, US, UK and Canada
For example, any attacker can register a site "equifaxsecurity20I7.com", host a page with equifax logo, get a DV certificate and start sending out phishing emails with equifax logo in it. Unsuspecting consumers/victims will click it and will make the situation worse.