SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.
Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public's trust.
[...] the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.
The [above-pictured] message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.
My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I'd further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.
The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.
What's more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.
While there's nothing wrong with that exactly, one might reasonably ask: Why didn't Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn't that have considerably lessened any suspicion that this missive might be a phishing attempt?
-- submitted from IRC
(Score: 4, Insightful) by donkeyhotay on Thursday September 28 2017, @03:06PM (7 children)
Yes. That's exactly what I got. I've held off on clicking on the link until I have some time available to call them and make sure it's legit.
It is time for all the upper executives of Equifax, both the recent ones and the current ones, to be tarred and feathered. I am quite serious. Literal tar. Literal feathers. Like the old days. Starting with that shit of a CSO who recently "retired". Hauled out in the public square by a mob. Covered in hot tar. And liberally dusted with feathers.
(Score: 2) by takyon on Thursday September 28 2017, @03:22PM (1 child)
Cruel and unusual punishment applied to an entire group regardless of innocence. You might as well go all-in and advocate for torture and prison rape.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Funny) by bradley13 on Thursday September 28 2017, @04:24PM
Hey, it's only illegal if the punishment is cruel and unusual. If you tar-and-feather the whole group, it's not unusual anymore!
Everyone is somebody else's weirdo.
(Score: 2) by HiThere on Thursday September 28 2017, @05:29PM (3 children)
I trust you realize that "tar and feathers" was usually a death sentence. Of course, with modern medical treatments they would probably get off with only needing extensive skin grafts to recover from burned skin that had to be cut off.
If you think they should be killed, just kill them quickly. Torture only puts you down at their level.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday September 28 2017, @11:27PM (1 child)
The tar used wasn't the oil-based stuff everyone thinks of today. It was pitch based and it melted at a low enough temperature that it didn't cause burns.
(Score: 2) by HiThere on Monday October 09 2017, @04:57PM
Thank you. That has been bothering me for quite awhile, and I didn't realize that the meaning of the word had changed.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by donkeyhotay on Monday October 09 2017, @02:51PM
No, it was not a "death sentence".
And some day, when these people's negligence causes everything you have to be taken away from you, you will feel differently.
(Score: 2) by TheRaven on Friday September 29 2017, @08:14AM
sudo mod me up