Equifax's Twitter account linked to a website created by a software engineer imitating the real breach info site:
People create fake versions of big companies' websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.
Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax's page about the security breach that may have exposed 143 million Americans' personal information. Several posts from the company's Twitter account directed consumers to Mr. Sweeting's version, securityequifax2017.com. They were deleted after the mistake was publicized.
By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting's site, and he took it down. By that time, he said, it had received about 200,000 hits.
Fortunately for the people who clicked, Mr. Sweeting's website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: "To enroll in complimentary identity theft protection and credit file monitoring, click here." But a headline in large text differed: "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
Also at The Verge.
Previously: Equifax Data Breach Could Affect 143 Million Americans [Updated]
Are You an Equifax Breach Victim? You Could Give Up Right to Sue to Find Out
Outrage Builds after Equifax Executives Banked $2 Million Following Data Breach
Equifax CIO, CSO "Retire" in Wake of Huge Security Breach
(Score: 2) by requerdanos on Thursday September 21 2017, @11:04PM
Admittedly, I don't know, but would guess that as a Windows application intended for people who live in the Windows World, much of their target audience is of the "I don't really get that security stuff" variety, and one might wonder why go to the trouble of making a real-looking website or having signed official builds if the userbase of the program wouldn't, by and large, notice.
There are lots of windows admins and lots of windows users that do know what's up, of course, but I wouldn't think they would make up a huge percentage of the userbase of any Windows-World software, not even this one. (Though of course this one, as a common ssh tool, should have a higher percentage of security-savvy users than other windows things, I believe that still doesn't make for an overpowering number.)
This is rather a shame, because the situation has been exploited [securityaffairs.co] in the wild.
Situation for Equifax is similar--the vast majority of their victims* don't know from good security. But in both cases, just because there's a large group of users or victims that doesn't know much about security doesn't mean that there are not experts who DO know about security, and doesn't absolve Equifax nor Mr. Tatham of their responsibilities in the realm thereof.
---
* Equifax's users are those who have subscriptions to negative or neutral things that Equifax says about their victims; it's a different group than the one to which I refer above.