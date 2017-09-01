from the I-have-trust-issues dept.
Arthur T Knackerbracket has found the following story:
More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.
Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public's trust.
[...] the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.
The [above-pictured] message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.
My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I'd further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.
The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.
What's more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.
While there's nothing wrong with that exactly, one might reasonably ask: Why didn't Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn't that have considerably lessened any suspicion that this missive might be a phishing attempt?
-- submitted from IRC
(Score: 2) by Bot on Thursday September 28, @02:16PM
hmmm a word play/ spelling pun with "Equifax".... uhmmm.... No, nothing turns up (safe search is on).
Reply to This
(Score: 2) by nobu_the_bard on Thursday September 28, @02:53PM
They've definitely got someone in a decision making role (or perhaps an entire team) that thinks a new domain name for every project is a good idea.
Please nobody tell them it's possible to get a Brand TLD like Google's .nexus or American Express's .amex, I don't want to have to add more even TLD support to apps.
Reply to This
(Score: 2) by donkeyhotay on Thursday September 28, @03:06PM (1 child)
Yes. That's exactly what I got. I've held off on clicking on the link until I have some time available to call them and make sure it's legit.
It is time for all the upper executives of Equifax, both the recent ones and the current ones, to be tarred and feathered. I am quite serious. Literal tar. Literal feathers. Like the old days. Starting with that shit of a CSO who recently "retired". Hauled out in the public square by a mob. Covered in hot tar. And liberally dusted with feathers.
Reply to This
(Score: 2) by takyon on Thursday September 28, @03:22PM
Cruel and unusual punishment applied to an entire group regardless of innocence. You might as well go all-in and advocate for torture and prison rape.
[SIG] 04/14/2017: Soylent Upgrade v13 [soylentnews.org]
Reply to This
Parent
(Score: 2) by richtopia on Thursday September 28, @03:14PM
From what I've seen this is the only real step you can take at the moment to protect your credit in the USA. I did it two weeks ago, and the websites were responsive again. $20 and 40 minutes total.
Reply to This
(Score: 2) by BenJeremy on Thursday September 28, @03:23PM (1 child)
The clueless handling of this, even given MONTHS to prepare, demonstrates how out of touch with technology their c-suite is.
That they cannot recognize how they are emulating phishing tactics only emphasizes how ripe they are/were for targeted attacks. How many times was IT called to scrub their company PCs after these fools gave out their Bank America accounts, or tried to by viagara online? My mom is better at recognizing this sort of thing than those idiots.
The whole company was criminally negligent.
Reply to This
(Score: 2) by takyon on Thursday September 28, @03:25PM
Even the janitors and secretaries?
[SIG] 04/14/2017: Soylent Upgrade v13 [soylentnews.org]
Reply to This
Parent