A short discourse on Whois registration practices.

On a thread with @briankrebs yesterday, I showed a series of Equifax-themed domains that appeared to have nothing to do with Equifax. Given the recent breach settlement, it seems all but certain that there will be scams, as Brian pointed out. And a lot of these will probably use lookalike domains.

As @aaronh pointed out, though, at least one of those domains, equifaxbreachsettlement,com, does seem to be legit, according to the FTC's site at ftc.gov/enforcement/refunds/equifax-data-breach-settlement .

If we look at the Whois and DNS records for that domain, however, they show absolutely no connection to Equifax. This is a problem for not only security-wise consumers, but Equifax itself. Consider:

-A wary user has no way to verify that this is a legit site.

-Said user also has no good way to distinguish this domain from other Equifax-themed domains, many of which are likely scams.

-It would be in Equifax's interest to make it clear that they own this domain.

It seems to me they made an odd and unhelpful choice here. They could have made the site's legitimacy clear by following the patterns the use in their primary domains:

-Registrant contact info consistent with the others (hostmaster@equifax,com email, Equifax's mailing address, etc)

-Hosting on the same IP or at least one in the same range as their other domains

-Nameservers the same as or consistent with their other domains

It's possible that the legit breach settlement domain is administered by a third party, but even if that's the case, they could have a) used Equifax's registrant info, or b) used some other uncloaked registrant info that identifies them as an aboveboard org.

The default to Whois privacy has advantages for many kinds of users, but there's a good reason for many orgs to use open registration, and this is a good example of that.