Yesterday, we learned that there was a major security breach at Equifax that may impact well over 100 million Americans and others. This is a concerning situation to those who are impacted, but there may be another threat looming for victims and others who may become victims in an effort to see if they were impacted by this breach.
A look at Verisign’s DomainScope tool that tracks new domain name registrations shows 135 .com and .net domain names were registered just yesterday with “Equifax” in them. There have been more registrations today, and I presume this number will continue to climb. I only searched for the correct spelling of Equifax, so this result does not include any typographical errors that spelled the company name wrong, nor does it include domain names that are related but do not include “Equifax” in them. In addition, because the tool is Verisign’s, it does not include registrations made in other extensions such as .org, .us, or any of the new gTLD extensions.
Domain name registrations are a concern because of the potential for bad actors to set up websites that attempt to confuse consumers into giving their personal information in an attempt to see if they are impacted by the breach or are looking to obtain identity theft protection. Maliciously registered domain names could also be used to send phishing emails with the same goal of stealing information.
Some (or many) of these domain names may have been registered by Equifax or companies acting on behalf of Equifax to keep them out of the hands of bad actors. I did not do an exhaustive search of domain registrations, but the company may have registered a swath of domain names that could be confusing to consumers. Many of the domain registrations I checked are privately registered, so without visiting each domain name individually to see what resolves and where, it is tough to know who owns what domain name.
There are possibly ways that domain names that have “Equifax” in them could be used by unrelated entities. I presume law firms could register domain names to seek out clients who wish to participate in class action lawsuits. This is probably more of a grey area in intellectual property law, so I am not entirely sure about whether these domain names could be used legitimately.
Unfortunately, there really isn’t much that can be done at the registrar or registry level, although the Equifax legal department could (and should) take legal action to recover these domain names. UDRP filings and litigation are two options the company has at its disposal.
As with everything these days, people really need to be aware that a domain name with a brand name in it may not be legitimate.