Vince Crisler

@vince_17729

A Small Oversight by Equifax In the Middle of a Massive Data Breach

September 7th 2017

Obviously the announcement by Equifax of a data breach that could potentially impact 143 million U.S. consumers is a HUGE deal. If you want some more background on this breach, I recently wrote a quick update on this breach for our customers at Dark Cubed which you can find here: https://darkcubed.com/blog/2017/9/7/a-notice-to-dark-cubed-customers-on-the-equifax-data-breach.

While writing that update, I stumbled across a small oversight made by Equifax in the rollout of the announcement of one of the largest data breaches of our time. While it wasn’t helpful to include the details of information in the update I wrote for our customers, I do want to share it to make sure others don’t make the same mistake, hence this separate posting.

So, what was this oversight? Well, it is highly likely that the folks managing the rollout of the website https://www.equifaxsecurity2017.com/ forgot to consider that scammers would very quickly look to register very similar domain names to spoof their victims. Luckily, they caught this error quickly and appear to have taken corrective action. Here are the facts behind this assertion.

The domain name of their primary site was registered on August 22nd, 2017 at around 22:07 UTC. This domain was registered through MarkMonitor, Inc. and points Cloudflare name servers. All standard stuff.

However, when I was doing my research I ran a quick lookup using the tool URLCrazy (https://www.morningstarsecurity.com/research/urlcrazy) This tool processed 251 different versions of the original domain name and I started to see some interesting results. First off, it was clear that many variations of the domain name were actually registered, but didn’t necessarily point directly to CloudFlare, rather they pointed towards “SoftLayer Technologies.” In addition, there were two outliers in this data set. One domain (“equifaxsecurity2018[.]com”) was registered through GoDaddy, and another domain (“equifoxsecurity2017[.]com”) was registered through Namecheap.

Looking at the timing of these registrations against the original domain name registration and the announcement of the breach reveals a very interesting finding. Equifax announced this breach shortly after the close of markets on September 7th, 2017, meaning at or around 16:30 EST or 20:30 UTC. 30 minutes after that announcement, at 20:59:23 UTC, the domain equifaxsecurity2018[.]com was registered through GoDaddy. This registration was likely performed by someone unrelated to Equifax given the fact that Equifax registered the original domain through MarkMonitor.

WHOIS Data for equifaxsecurity2018[.]com

The plot thickens when the domain equifoxsecurity2017[.]com was registered approximately 25 minutes later at 21:24:12 UTC through a completely different service, Namecheap.

WHOIS Data for equifoxsecurity2017[.]com

The domain equifaxsecurity2018[.]com simply redirects to the appropriate Equifax website, however the second domain, equifoxsecurity2017[.]com, displays the following text on the website.

The Website at equifoxsecurity2017[.]com

It is amazing to me that two separate (likely) individuals were able to register such similar domain names nearly an hour after the public announcement of this massively important website for Equifax. This happened after the public announcement for what is likely to be one of the largest, most expensive data breaches . This happened after the public announcement for a data breach that Equifax has already spent an unbelievable amount of time and money on before ever announcing. This was clearly a shocking oversight by someone at Equifax to leave these domains unregistered.

Now, remember I said many of the variations of the domain name WERE registered? Well, someone at Equifax clearly caught on quickly, potentially after being notified by the individual who registered one of those first two domain names (pure speculation). Starting at 21:51:17 UTC, we see a blitz of domain name registrations through Name.com and directed to SoftLayer Technologies IP addresses. These domains all appear to automatically redirect the user to the main website.

If you are interesting in looking at the data I collected for this analysis, it is here: https://pastebin.com/D3fs70ub

Bottom Line: If you, or anyone you know, is creating website in 2017 that will be collecting sensitive information from the public, please make sure you look into registering variations of the domain name you will be using. Not doing so will make your site an easy mark by scammers who can simply replicate your site and trick users into giving their information to the wrong person. In the case of Equifax, it looks like they were able to recover from this mistake quickly enough…or at least for the 251 variations I analyzed.

More by Vince Crisler

More Related Stories