- The site contains Equifax's heading, uses their branding, and is highly similar to the actual website
- The site is hosted on a domain that is very similar to the actual website and uses Equifax's name
- The site instructs users to enter PII on it under the guise of being Equifax.
It could be argued that the creator of the site created this to determine whether people were being phished by it before activating the actual collection of data.
Additionally, in Chrome, when I fill out the form and get the alert box, when I dismiss the alert box, two requests are made to the domain:
If an onSubmit handler is attached to the form submit that sets a cookie with this information before showing the alert, then the phished details are transmitted to securityequifax2017.com.
Lawyers will C&D this extremely hard, a very reasonable case can be made that this is impersonation, and a phishing site with malicious intent.
NB: I DO NOT BELIEVE THAT THIS IS THE CREATOR'S INTENT. So do not jump at me thinking that I do believe that. I'm just saying that it could be very reasonably and successfully argued, and that nuance and intent could do very little to spurn allegations of impersonation or actual phishing.
Your cookies are submitted with requests for anything from a site, favicon images included. Setting a cookie in JS that contains events performed on a webpage is a trivial exercise and you shouldn't assume that that doesn't happen in a case such as this.
What if it only sends HTML that sends data back under certain conditions? E.g. 1 in 1000 requests, at random. A security researcher is unlikely to hit the "bad" version but he can still phish 0.1% of victims.
