A checklist item for the next time you need to create a landing page for a security announcement.
Make sure the certificate and the whois on the domain being used actually references the name of your company.
My wife sends me a link to this.
Equifax: Info accessed includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers https://t.co/M9CQzbN8Fl— NBC News (@NBCNews) September 7, 2017
I then find the page for the actual announcement from Equifax.
Go to the dedicated website www.equifaxsecurity2017.com and find it’s using a Cloudflare SSL certificate.
The certificate chain doesn’t mention Equifax other than the DNS names used in the cert (*.equifaxsecurity2017.com and equifaxsecurity2017.com).
What happens if I do a whois?
$ whois equifaxsecurity2017.com Domain Name: EQUIFAXSECURITY2017.COM Registry Domain ID: 2156034374_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2017-08-25T15:08:31Z Creation Date: 2017-08-22T22:07:28Z Registry Expiry Date: 2019-08-22T22:07:28Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: BART.NS.CLOUDFLARE.COM Name Server: ETTA.NS.CLOUDFLARE.COM DNSSEC: unsigned
Now I want to see if I’m impacted. Click on the “Check Potential Impact” and I’m taken to a new site (trustedidpremier.com/eligibility/eligibility.html).
And we get another certificate and a
whois lacking any reference back to Equifax.
$ whois trustedidpremier.com Domain Name: TRUSTEDIDPREMIER.COM Registry Domain ID: 2157515886_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.registrar.amazon.com Registrar URL: http://registrar.amazon.com Updated Date: 2017-08-29T04:59:16Z Creation Date: 2017-08-28T17:25:35Z Registry Expiry Date: 2018-08-28T17:25:35Z Registrar: Amazon Registrar, Inc. Registrar IANA ID: 468 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.2062661000 Domain Status: ok https://icann.org/epp#ok Name Server: NS-1426.AWSDNS-50.ORG Name Server: NS-1667.AWSDNS-16.CO.UK Name Server: NS-402.AWSDNS-50.COM Name Server: NS-934.AWSDNS-52.NET DNSSEC: unsigned
I’m not suggesting that the site equifaxsecurity2017 is malicious, but if you’re going to the trouble of setting up a page like this make sure your certificate and
whois actually references back to the company making the announcement. If you look at the creation dates for the domain and the
Not Valid Before dates on the certs they had plenty of time to get domains and certificates created that would reference themselves.