687 views
<center> # Equifax Security Incident (2017) *Originally published 2017-09-20 on [docs.sweeting.me](https://docs.sweeting.me/s/blog).* <img src="https://i.imgur.com/mE7DIew.png" width="70%"/> A summary of my involvement with the 2017 Equifax breach response fiasco. --- **🔊 Listen to this story in podcast form! 🔊 [Carbonite: Breach s02e04](https://www.carbonite.com/podcasts/breach/s02e04-Equifax-data-breach)** *With exclusive interviews of Equifax employees, reporters, and infosec experts who were involved.* <img src="/uploads/upload_ee94ef39afd5da47a59b949532397e16.png" width="56%"> <img src="/uploads/upload_e6079287adc9aaf8eed44d977a80d842.png" width="42%"> </center> ## Summary On September 7th 2017, Equifax [announced](https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628) they had accidentally leaked customer information, including names, addresses, SSNs, and more. In the fiasco that followed, they made the mistake of setting up a secondary domain to handle their security response, including allowing customer info input to check whether you're affected by the breach. Because they hosted it on a second domain that no one had heard of before, it made it very easy for scammers and phishing sites to come in claim variations on the domain to snag unwitting visitors who typed the wrong one (which would be much harder had they just used equifax.com). To illustrate why using a secondary domain is a terrible thing to do during a breach response, I created a spoof domain that warned customers they were visiting the wrong page, and that Equifax had messed up by directing customers to an unknown URL. I later discovered that **official Equifax support reps had been mistakenly directing customers to my spoof site instead of their real one**, leading to the events below, where it eventually got picked up by the mainstream news cycle. <table> <tr> <td style="width:30%; text-align: center"> <h4>Sept 8</h4> <b>I created a spoof site <code>securityequifax2017.com</code> to mock Equifax's easily phishable domain choice.</b> <hr/> <img src="https://pbs.twimg.com/media/DKLcX0NVwAENuXA.jpg" width="210px"> <img src="/uploads/upload_664ed9df7a9a46cca0da7562187d869f.jpg"> </td> <td style="width:30%; text-align: center"> <h4>Sept 8 - 20</h4> <b>Equifax's social media system <i>auto-filled my URL</i>, causing their reps to direct people to my spoof site.</b> <hr/> <img src="/uploads/upload_7cfb40474304329ca8d5aa47289ea045.jpg" width="200px"><br/> <img src="/uploads/upload_f53468c7327737a96c72745b65de6f72.png" width="200px" style="margin-top: 4px"><br/><br/> <a href="https://i.imgur.com/X3HVpzI.png">Some tweets are still live!</a> </td> <td style="width:30%; text-align: center"> <h4>Sept 20</h4> <b>I get notified that my spoof site was getting millions of hits from <i>official Equifax support tweets</i>.</b> <hr/><br/> <img src="https://pbs.twimg.com/media/DKLcX0NVAAAhA0l.jpg" width="300px"><br/><br/> <img src="/uploads/upload_0a77084966ba62b962ede5c459793dec.png" with="300px"><br/><br/><br/> <a href="https://twitter.com/thesquashSH/status/910512164938665984">Link to original tweet</a> <br/> </td> </tr> </table> ## Timeline 📅 **2017 (times are in EST)** - **Sept 7 @ 8am:** Original [Equifax Breach Announcement](https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628) with equifaxsecurity2017.com link - **Sept 8 @ 4:05pm:** I buy securityequifax2017.com domain & point it to Github Pages - **Sept 8 @ 4:15pm:** I clone the official site to Github Pages and add a few [jokes](/uploads/upload_ee94ef39afd5da47a59b949532397e16.png) & [easter eggs](/uploads/upload_e6079287adc9aaf8eed44d977a80d842.png) - **Sept 8 @ 4:25pm:** I post the first public link to the cloned spoof site [on Twitter](https://twitter.com/thesquashSH/status/906206945320820736) - **Sept 8 @ 4:41pm:** I move securityequifax2017.com to self-hosting on a DigitalOcean VPS - **Sept 8 @ 5pm:** I post my spoof site link to FB, [HN](https://news.ycombinator.com/from?site=securityequifax2017.com), and a [few places on Twitter](https://twitter.com/search?q=securityequifax2017.com%20(from%3AtheSquashSH)%20until%3A2017-09-10%20since%3A2017-09-08&src=typed_query) ... - **Sept 9-20:** Equifax mistakenly tweets 8 links to securityequifax2017.com ... - **Sept 20 @ 9am:** I am notified of Equifax's mistaken tweets by [@aaronkkruse](https://twitter.com/aaronkkruse) via [private email](/uploads/upload_1787667adffd18fcfae0c5c0c56fb2e5.png) - **Sept 20 @ 10am:** I make a [tweet](), post it to HN, [@swiftonsecurity](https://twitter.com/SwiftOnSecurity/status/910535176974929920) & [@bcrypt](http://twitter.com/bcrypt) retweet - **Sept 20 @ 11am:** Story [goes viral](https://twitter.com/search?q=securityequifax2017.com%20until%3A2017-09-30%20since%3A2017-09-07&src=typed_query), [500k+ Twitter hits](/uploads/upload_19ef899c2eb96bc7ad8c712367bcfc93.png), [200k+ unique hits on CloudFlare](https://www.nytimes.com/2017/09/20/business/equifax-fake-website.html#targetText=hits) - **Sept 20 @ 12pm:** Cloudflare [suspends my account](https://mobile.twitter.com/xxdesmus/status/910545142846590976) (later unsuspended after support review) - **Sept 20 @ 1pm:** Turn off Cloudflare and [point DNS back to Digitalocean VPS](https://securitytrails.com/domain/securityequifax2017.com/history/a) - **Sept 20 @ 2pm:** Press [starts](/uploads/upload_0353a08ce5e5f85258adf1c7cadf7b84.png) contacting [me](/uploads/upload_9aff48c54e8abfd211e8946f359fb5e6.png), [I provide them my official statement](/uploads/upload_6a6e6ef5111681e61eb3757f98dffc0a.png) ([see below](#My-Official-Statement-to-Press-✍️)) - **Sept 20 @ 4pm:** [Google Safe Browsing](https://safebrowsing.google.com/) blacklists the site, causing [browser phishing warnings](/uploads/upload_2dce2d6fbb739825159f980697eaee1c.png) - **Sept 20 @ 4:30pm:** I destroy the DigitalOcean droplet, and [point the DNS to 127.0.0.1](https://securitytrails.com/domain/securityequifax2017.com/history/a) - **Sept 20-22nd:** [Media frenzy continues](#Newspapers-%F0%9F%97%9E) ... - **2019:** securityequifax2017.com purchased by different owner (I no longer conrol it) ## My Official Statement to Press ✍️ > It's in everyone's interest to get Equifax to change this site to a reputable domain. I knew it would only cost me $15 to set up a site that would get people to notice, so I just did it. As it stands, their site is dangerously easy to impersonate, it only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there. (there's also https://www.equifaxbreach2017.com/) > > The "wget" command on linux allows you to download a website, including all images, html, css, etc. Using this command, it was very easy to just suck their whole site down and throw it on a $5 server. It currently has the same type of SSL certificate as the real version, so from a trust perspective, there's no way for users to authenticate the real one vs my server. They should either change it to https://equifax.com (with an EV cert), or take it down altogether. I hope other companies are able to learn from this mistake, and remember to publish content only on trusted domains. > > I was honestly not that surprised when someone showed me the mistweet, it's just another mistake in a long line of horrendous security blunders they've made. I was slightly more surprised when I learned that they tweeted the wrong link over 8 times, going all the way back to Sept 9th! I just hope the employee who posted the tweet doesn't get fired, they probably just Google'd for the URL and ended up finding the fake one instead. The real blame lies with the people who originally decided to set the site up badly. > > My fake site is not malicious in any way. It loads over https and I've disabled the eligibility form so that no information typed in gets sent anywhere or saved in any way. You can verify using the dev tools or by looking at the source code of eligibility/eligibility.html. It recently got blocked by the google domains blacklist, so I took it down around 4pm CT on Wednesday. There are screenshots in the NYTimes article and on twitter depicting what it looked like while it was up. > > The tweets got >700k impressions, and the site got >200k hits as of Wednesday afternoon before I turned off analytics\*. I'm glad that all the responses so far are positive, I just hope it leads to Equifax actually fixing the situation. > > I'm Software Engineer/security enthusiast, currently working on launching a gaming+cryptocurrency startup in Medellin, Colombia: https://monadical.com <center>〰〰〰</center> *\* Given the time the site was up and the rate of traffic, I suspect the final hit-count was >1 million.* ## Equifax's Official Statements 🏢 1. [Wednesday, Sept 20th 2018](http://www.slate.com/blogs/future_tense/2017/09/20/equifax_tweeted_the_wrong_url_for_its_data_breach_website.html): > "All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion." 2. [Wednesday, Sept 20th 2018](https://www.nytimes.com/2017/09/20/business/equifax-fake-website.html?mcubz=3&_r=0): > "We apologize for the confusion. Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is www.equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages." ## Press https://en.wikipedia.org/wiki/Equifax ### Social Media 🌐 - https://twitter.com/thesquashSH/status/910512164938665984 - https://twitter.com/SwiftOnSecurity/status/910532389641900038 - https://twitter.com/SwiftOnSecurity/status/910529573439328258 - https://twitter.com/bcrypt/status/910524247897817089 - https://news.ycombinator.com/item?id=15295146 - https://it.slashdot.org/story/17/09/20/1848238/equifax-has-been-sending-consumers-to-a-fake-phishing-site-for-almost-two-weeks - https://www.reddit.com/r/firstworldanarchists/comments/71cq0u/equifax_gets_it/ ### Newspapers 🗞 - https://www.nytimes.com/2017/09/20/business/equifax-fake-website.html - https://www.forbes.com/sites/janetwburns/2017/09/21/equifax-was-linking-potential-breach-victims-on-twitter-to-a-scam-site/#2437e471288f - http://fortune.com/2017/09/20/equifax-credit-breach-security-phishing/ - https://blogs.wsj.com/cio/2017/09/21/the-morning-download-sec-says-public-company-filings-system-was-hacked/ - https://www.wired.com/story/equifax-breach-response/ - https://arstechnica.com/information-technology/2017/09/equifax-directs-breach-victims-to-fake-notification-site/ - http://money.cnn.com/2017/09/20/technology/business/equifax-fake-site-twitter-phishing/index.html - https://www.cnet.com/news/equifax-twitter-fake-support-site-breach-victims/ - https://gizmodo.com/equifax-has-been-sending-consumers-to-a-fake-phishing-s-1818588764 - https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring - http://uk.businessinsider.com/report-equifax-directed-concerned-consumers-to-a-spoof-site-2017-9 - https://www.thebillfold.com/2017/09/more-news-about-the-equifax-hack/ - https://www.cbsnews.com/news/equifax-breach-company-sent-customers-to-wrong-site-for-weeks-report/ - https://www.cnbc.com/video/2017/09/21/equifax-acknowledges-it-sent-customers-to-fake-phishing-site.html - https://www.dailydot.com/debug/equifax-fake-phishing-site/ - http://www.slate.com/blogs/future_tense/2017/09/20/equifax_tweeted_the_wrong_url_for_its_data_breach_website.html - http://mashable.com/2017/09/20/equifax-twitter-phishing-site-facepalm/#cIiGURzHjOqF - http://nypost.com/2017/09/20/hackers-have-been-hiding-in-equifaxs-computer-network-for-months/ - https://finance.yahoo.com/news/equifax-hack-2017-equifax-fake-162034727.html - http://wccftech.com/equifax-breach-victims-phishing-site/ - http://thehill.com/policy/cybersecurity/351555-equifax-tweets-out-would-be-fishing-site-in-lieu-of-breach-info-site - http://www.uatrav.com/opinion/article_46cb0b34-a313-11e7-91cb-e7c4c02d8f64.html - http://www.refinery29.com/2017/09/173124/equifax-hack-twitter-phishing-site - https://www.avclub.com/equifax-accidentally-sent-hack-victims-to-a-phishing-si-1818602676 - http://www.news5cleveland.com/newsy/equifax-fell-for-a-clone-of-its-website-and-then-sent-users-to-it - http://uproxx.com/news/equifax-sent-consumers-phishing-site/ - https://mic.com/articles/184606/equifax-has-directed-followers-to-fake-phishing-site-for-nearly-two-weeks#.gVdhVCV34 - https://www.slashgear.com/equifax-team-accidentally-sent-some-people-to-a-phishing-website-20500921/ - https://www.eastidahonews.com/2017/09/equifax-tweets-fake-phishing-site-concerned-customers/ - https://www.thepennyhoarder.com/smart-money/equifax-scam-site/ - http://www.expressnews.com/business/technology/article/San-Antonio-consumers-angry-confused-over-12216111.php - http://tribunist.com/news/equifax-sent-consumers-to-fake-phishing-site-by-repeatedly-tweeting-the-wrong-url/ - http://www.sfgate.com/business/article/Equifax-screws-up-further-Amazon-says-Oh-12215909.php - https://www.rawstory.com/2017/09/equifax-has-been-sending-customers-straight-into-a-hackers-trap-for-weeks/ - http://www.ibtimes.com/equifax-phishing-scams-company-customer-service-sends-victim-fake-website-2592100 - https://www.vanityfair.com/news/2017/09/donald-trump-un-africa - https://www.guruin.com/news/2879 - http://vothemes.com/2017/09/after-equifax-breach-company-sent-victims-to-wrong-site-for/ - https://www.rt.com/usa/404014-equifax-imposter-site-victims-two-weeks/ - http://www.dailymail.co.uk/news/article-4904842/Equifax-sent-people-wrong-site-check-data-breach.html - https://www.usatoday.com/story/tech/talkingtech/2017/09/21/equifax-support-team-sent-victims-breach-phishing-site/688188001/ - http://www.npr.org/sections/thetwo-way/2017/09/21/552681357/after-massive-data-breach-equifax-directed-customers-to-fake-site - http://wjla.com/features/7-on-your-side/7-on-your-side-equifax-accidentally-tweets-a-fake-phishing-site - http://dailycaller.com/2017/09/21/equifax-tried-to-help-customers-but-accidentally-sent-them-to-a-phony-site/ - https://www.theregister.co.uk/2017/09/21/equifax_fooled_again_company_teets_out_links_to_website_parodying_it/ - http://www.newser.com/story/248958/equifaxs-latest-headache-a-10-fake-website.html - https://www.deseretnews.com/article/865689297/Equifax-has-directed-victims-of-hack-to-a-fake-website-for-weeks.html - http://theweek.com/speedreads/725991/equifax-been-sending-customers-phishing-website - https://epic.org/privacy/data-breach/equifax/ ### Video/Audio News 📺 - **Breach Podcast:** https://www.carbonite.com/podcasts/breach/s02e04-Equifax-data-breach - **John Oliver:** https://www.youtube.com/watch?v=mPjgRKW_Jmk - **Colbert Report 1:** https://youtube.com/watch/?v=xh8d7TV74uQ?t=13m24s - **Colbert Report 2:** https://www.youtube.com/watch?v=LyIEd5QVkyc&t=251 - **CBS NY 1:** https://www.youtube.com/watch?v=eHQUFznVh-k- - **CBS NY 2:** https://www.youtube.com/watch?v=OR3MJH2cpaU - **Fox News 🤮:** https://youtu.be/tayONQBZmms?t=1m22s - **CBS Chicago:** https://www.youtube.com/watch?v=MDWHKQ6Xa74 - **Philip DeFranco:** https://www.youtube.com/watch?v=OTDY--Qb72E - **WCPO:** https://www.youtube.com/watch?v=RL5svVyYF08 - **Newsy:** https://www.youtube.com/watch?v=eHQUFznVh-k - **US Breaking News:** https://youtu.be/9Tx6xcYo1nQ?t=32s - **Jim Yackel:** https://www.youtube.com/watch?v=S2AdVUl69bc - **Headlines With a Voice:** https://youtu.be/LrH1nGrApGs?t=4m20s - **QuickNews:** https://www.youtube.com/watch?v=MefmSvJwTf8 - **DEFCON 27 Talk:** https://www.slideshare.net/BronsonPeto/uncl3dumby-anatomy-of-a-megabreach-equifax-report/BronsonPeto/uncl3dumby-anatomy-of-a-megabreach-equifax-report --- ## Related Scandals 🤦‍ ### Mariott / Starwood 🏨 **2019-10-03:** It happens all over again with Mariott/Starwood Breach with + spoof site - https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/ - https://twitter.com/troyhunt/status/1068782889242845184 - https://email-mariott.com