Hackers have been hiding in Equifax’s computer network for months

September 20, 2017

Hackers have been hiding inside Equifax’s computer network since March — far longer than previously thought, a report says.

A confidential note sent to Equifax customers this week described how cyber thieves infiltrated the company’s servers more than four months before its security team stumbled upon the now-infamous data breach.

The document was obtained and reviewed by the Wall Street Journal before being reported out Wednesday.

It was sent out by the security firm FireEye Inc.’s Mandiant group, which has been hired to investigate the Equifax hack, along with the FBI.

The credit bureau previously claimed that it first learned about the breach on July 29 — saying the personal information of 143 million Americans was likely accessed in May.

But according to the Mandiant report, it appears that hackers have been roaming undetected inside Equifax’s computer network since at least March 10. This is when investigators found the very first evidence of “interaction,” the note says.

Equifax didn’t disclose the cyber attack to the public until Sept. 7.

The hackers were ultimately able to access the company’s network by entering the computer command “Whoami” into one of its servers — which gave them a username.

A source told the Journal that this move likely kickstarted a “monthslong reconnaissance mission” that eventually ended with them swiping the data of millions.

“Typically, you first build out a beachhead so that it’s difficult to get kicked out,” explained Johannes Ullrich, dean of research with the SANS Technology Institute.

He said the hackers probably stumbled upon Equifax’s computer network while “spamming the internet for vulnerable systems.”

It typically takes companies around 100 days to discover that they have been hacked, according to the Journal.

In this case, it took Equifax 141 days.

The company has since set up a website to help citizens deal with the fallout from the data breach, but they’ve had trouble directing people to it.

According to The Verge, the Equifax Twitter account has been tweeting out misspelled links — leading people to wrongly click on a phishing site.

Instead of posting the words “equifaxsecurity2017.com,” the page has been sending out “securityequifax2017.”

Luckily, the site that the URL leads to is not malicious and was set up by web developer Nick Sweeting in order to expose vulnerabilities that he found in Equifax’s response page.

“I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting told the Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”

Sweeting promises to keep any personal info that’s entered on his page private, saying he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer.”