Problems with Equifax Breach Disclosure

"Insecurities in a security disclosure"

UPDATE (9/20/17):

Looks like the observation in this blog has already become a reality. Phishing sites already up and running:

ORIGINAL STORY:

As I was going through the myriad of news articles and url's floating around, I ended up at this site equifaxsecurity2017.com. To my surprise I noticed that this site is NOT hosted in or by Equifax, instead it was hosted on a completely untrusted domain called "equifaxsecurity2017.com". Except the EQUIFAX logo, nothing on this site points to the authenticity of this site. Moreover this site redirects users to a 3rd party site that then asks UNAUTHENTICATED users to enter the last 6 digits of SSN and last name.
As an Equifax consumer, the least anyone expects is that they have the ability to trust that all communications come from the company domain and can be rest assured that they won't fall victim to more attacks.

Given that 143 million people are going to enter their SSN on this site, I'm certain that several PHISHING websites of the following variations are going to pop up over the next few days:
- equifaxsecurity2O17.com (note that I have replace "0" with an "O" in this)
- equifaxsecurity20I7.com (note that I have replaced "1" with an "I" in this)
- equifaxsecurity20I7.net
- equifaxsecurtiy20I7.com etc etc etc....

A random website coming up overnight with no attribution to Equifax domain and collecting SSN and PII has opened up a huge opportunity for the attackers.
To make matters worse the domain registration of these sites have no tie back to Equifax. equifaxsecurity20I7.com is registered and hosted anonymously behind cloudflare. Moreover, this site further directs users to a different domain trustedidpremier.com that is hosted on Amazon, registered with AWS, DV certs obtained from AWS and has absolutely no connection to Equifax anywhere.

Finally, as a last resort I checked the SSL certificates to ensure that at least these sites are legit before I enter my SSN. To my surprise, I found that all of these sites above use DV certs. Without going into technical details, DV certs are the easiest unverified certs to obtain and most lucrative for  PHISHING campaigns and malicious actors as certificate authorities do not validate who is requesting a cert and why before granting one. Over 14,000 SSL Certificates were issued to PayPal phishing sites using this same methodology over the past few years.

What does this mean to Equifax and Consumers?
Over the next several days we will start seeing major phishing campaigns popping up that leverages this opportunity to spin up fake websites to collect SSN's and PII of trusting innocent Equifax customers. This will not only affect the 150M affected customers but also anyone else who tries to enter their SSN to check if they are affected. This could subject all the affected markets into phishing campaign frenzy, including but not limited to, US, UK and Canada

For example, any attacker can register a site "equifaxsecurity20I7.com", host a page with equifax logo, get a DV certificate and start sending out phishing emails with equifax logo in it. Unsuspecting consumers/victims will click it and will make the situation worse.

Comments

  1. You made a very good point. Almost scary how real that website looks to an untrained eye.
    People usually look for the https certificate on the browser address bar but as you mentioned they got around that too.
    Big news like this always comes with it's share of scamsters, smarter and smarter every time. The only way to ensure we don't fall for such scams is to contact the right sources before entering any information online.

    ReplyDelete
    Replies
    1. Check this out. Looks like my prediction anove has come true already :)
      http://www.businessinsider.com/report-equifax-directed-concerned-consumers-to-a-spoof-site-2017-9?utm_content=buffer1df4d&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer-bi

      Delete

Post a Comment

Popular posts from this blog

Potential DoS Vulnerability with Android System

iOS Credential Leakage