Equifax data breach: look out for these suspicious domains

Equifax data breach: look out for these suspicious domains

Equifax, one of the three major credit bureaus in U.S. made a disclosure on Sept 7th that they suffered a massive data breach on July 29th, 2017. They reported an estimated 143 million consumers may be impacted, making it one the largest breaches in U.S. history.

As security researchers, we’ve been closely monitoring the news since it broke out. In this blog post, we share some early domains that look suspicious and are worth monitoring closely. As we typically see in such breaches, there is an element of bad actors exploiting the situation for their personal gains in the aftermath. Phishing is one such threat that we always expect in the days following the disclosure. Since thescale of the breach is so big and the data at stake is extremely sensitive (SSNs, DOB, Names etc.), it becomes extremely important for everyone to stay vigilant of deceptive phishing links that might be trying steal user’s information.

Equifax’s free credit monitoring: a phishing link that wasn’t

Within couple of hours of the official announcement on Sept 7th, we started receiving queries on RedMarlin’s free phishing lookup tool CheckPhish for a suspicious looking link: https://trustedidpremier.com/eligibility/eligibility.html. Our AI engine marked it clean but we had to dig further as the link had various suspicious characteristics. It was registered few days ago, the domain is hosted on Amazon, has WHOIS information privacy protected and the site is asking for 6-digits of SSN and last name as seen in the image below.

Trusted ID Premier: Equifax's free credit monitoring lookup

Image 1: Equifax’s credit lookup tool to check if you were affected in the breach.

Upon tracing it back, we found the proper chain which links it back to https://www.equifax.com/personal as you can see below. We were relieved to inform users it wasn’t a phishing attempt on them.

Path from Equifax homepage to the trustedidpremier.com link

Various researchers reported that the site https://www.equifaxsecurity2017.com was being marked as phishing by security providers, which is understandable given the suspicious indicators on that site as well. It was registered recently and saw a massive spike in DNS volume and likely caused some of them to mark it as phish. We agree that it is better to be on the safer side and mark something so suspicious as phish proactively until there is enough evidence to prove otherwise.

In addition to the above, we saw reports on Twitter for the trustedidpremier.com site being blocked by Google Chrome, although it seems to be fixed now.

If you wish to check more details on the above links, CheckPhish has more insights into them:

For trustedidpremier.com: https://checkphish.ai/insights/1504820558046/d472758e4de186bf04c66982fdf97e73bf981e25e0297da81f4f60232207c956

For equifaxsecurity2017.com: https://checkphish.ai/insights/1504845916728/310e17fee782fbf677a575cfa991796eb2e1a189f892a842524e09944be64c33

Sample CheckPhish insights page

Image 2: Sample CheckPhish insights page for trustedidpremier.com

At the time of writing this post, at least one engine marked the above two domains as phishing on Virustotal:

For http://trustedidpremier.com: https://www.virustotal.com/#/url/f301a01db2e921d773b13340eb4883d3fb32733cf822f897a032b6ad15fc400d/detection

http://equifaxsecurity2017.com/ https://www.virustotal.com/#/url/99e3eadc2b4b59115b57016b621a014007434ae03662580f910939d87c764597/detection


What’s in store next?

As mentioned earlier, we expect phishing attempts to go up in the coming days and weeks. In our daily monitoring of newly registered domains, we saw 77 new ones that look very similar to the ones used by Equifax. They were all registered in last few days. Few examples below:

equifaxtrustidpremier.org                                                                                                                                                         efxtrustidpremier.net

None of these domains resolve to an IP so far and their WHOIS is privacy protected. The most plausible theory is that they were registered proactively by incident response teams at Equifax before the bad guys get hold of them. Full list of the domains here.

We’re also seeing reports of domain registrations that are deceptively similar to the above but most of them are redirecting to the equifaxsecurity2017.com site. Here is a list of 247 such newly registered domains. Most of these domains are registered on Name.com and look different from the previous list that are hosted on Amazon.

So far, we don’t have any evidence of any of the newly registered sites that we found to be hosting phishing but that’s not unusual as it has only been a few days since the breach announcement.

We’ll keep making updates to this blog post as we gather more information on phishing attacks that we find in the following days. Stay vigilant!


Update 1 (2017-09-11): Thanks to the awesome dnstwist tool, we have an un-curated list of several more variants of Equifax domains. Note that this an exhaustive list that contains both legitimate (Equifax owned) domains and several other suspicious ones. Please filter at your end. Complete list here.

No Comments

Post a Comment

%d bloggers like this: