Why innocent victims could fall victim again
In September of 2017, Equifax announced a data breach that exposed the personal information of 147 million people. The company has now agreed to a global settlement
with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories which includes up to $425 million to help people affected by the data breach.
You would assume after this breach that Equifax and the governing bodies managing the settlement process would have robust measures in place to prevent it from actually being exploited by scammers.
Firstly, the proposed settlement is pending approval by a court but when this happens individuals will be directed to www.equifaxbreachsettlement.com
to check their eligibility and register a claim.
You would expect the internet domain being used to promote the settlement claims (www.equifaxbreachsettlement.com) would be protected, in reality it is wide open to being spoofed by anyone.
High profile campaigns such as this are the perfect raw material to support a phishing or social engineering attack and there are some basic protections that should be put in place to prevent the Internet domain being abused. The very basics are called SPF, DKIM and DMARC which, if implemented correctly, will prevent the @equifaxbreachsettlement.com email address being spoofed and used to phish or target breach victims to extract even more of the personal and financial details.
Unfortunately only SPF has been implemented for equifaxbreachsettlement.com which means this domain is wide open to being spoofed by anyone. Given there were 147 million individuals affected by the breach, a scammer doesn’t even have to be that selective with their target email address list!
Secondly, registering domains that look like www.equifaxbreachsettlement.com is an obvious defensive step to stop scammers creating look-a-like domains to host phishing or impersonation sites. A quick check on a popular domain registrar www.GoDaddy.com reveals the following domains were available:
In fact, we have actually registered some of these ourselves to prevent abuse. There are lots more other similar domains available at the time of writing this but the KYND credit card can only fork out so much when it should have actually been done by those being paid to set up and run this settlement.
To conclude, it’s disheartening to see that whilst a claim settlement has been agreed to help those who were innocent victims of Equifax’s data breach in 2017 the process itself is flawed and open to exploitation – meaning customers could fall victim again.