On September 7th, Equifax announced roughly 143 million Americans may have been impacted by a large scale data breach. According to the credit card reporting agency, cyber criminals stole customer names, Social Security numbers, birthdates, driver’s license numbers and much more.
As part of their response to the breach, Equifax launched equifaxsecurity2017.com, a website where concerned users could check to see if they were caught in the incident. Unfortunately, the launch of the website was impacted by technical issues.
“In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat,” wrote cyber security reporter and researcher, Brian Krebs. “In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they used the same information to check on their mobile phones.”
Any time an event like this occurs, cyber criminals take advantage of consumer confusion and trust by creating phishing websites, often on an ongoing basis. In late March, encryption experts affiliated with the SSL Store released a report on fraudulent certificates issued by Let’s Encrypt. According to researcher Vincent Lynch, Let’s Encrypt issued 15,270 certificates containing the word “PayPal” between January 1st, 2016 and March 6th, 2017. Lynch points out that: “based on a random sample, 96.7% of these certificates were intended for use on phishing sites.”
Sadly, the risks and prevalence of phishing websites always increase during the aftermath of a major data breach. It’s imperative that organizations take steps to make sure their websites are properly validated.
“We should expect more targeted phishing attacks as a result of this incident,” said Nick Hunter, Venafi senior digital trust manager. “In spite of the catastrophic loss of all this personal data, it’s also an excellent opportunity to educate the industry on how attackers take advantage of the chaos following a breach. We have an opportunity to monitor the situation in order to determine how ‘bad actors’ use compromised data to expand their attacks, especially those whose goal is to make a profit via ransom. Spear phishing websites can be used to gain even more privileged accounts, PII and access to other organizations.”
What lessons can organizations learn from the Equifax breach that will help them limit exposure to phishing attacks? In other words, how can organizations protect themselves and prove their websites are authentic?
First and foremost, organizations should use Extended Validation (EV) Certificates for their pages and certificates that are not Domain Validated (DV). “Major organizations can use this as a differentiator by clearly making demonstrating they have invested in the highest validated certificates. In addition, we must move away from the overuse of Wild Card certificates. Many organizations use, and rely on wildcard certificates for multiple domains. While this can be a valid strategy, attackers can also use these certificates to validate phishing domains.”
Ultimately, organizations must take steps now to validate their websites before cyber criminals take advantage of their customers’ trust. “Sadly, 99% of the public will trust the green padlock icon in that their browser that supposedly tells them if a website is safe or not,” Nick laments. “It’s up to us to educate our organizations and consumers about certificate safety.”