Fraudsters cashing in on “Equihax”

By 22nd September 2017BreachAlert

News of the Equifax hack has spread quickly, with reports that potentially 44 million Britons’ private information such as home addresses and credit histories have been stolen and put up for sale on the Dark Web — unless Equifax pays up.

But how can we know for sure if this Dark Web site is genuine? It’s all too easy to make claims that you’ve obtained a high-profile company’s private information and hold it as ransom until they pay up, but the Dark Web can be a very difficult place to navigate and verify such information.

Our team of cyber experts at RepKnight have been investigating and monitoring the Equifax hack using our Dark Web monitoring tool, BreachAlert. We’ve been looking into the latest Bitcoin address provided by the hackers and have noticed that there’s a zero balance and zero transactions, which at this stage leads us to believe that the ransom demand is not genuine.

On 9th September 2017, a Dark Web portal appeared that was purporting to sell Equifax data. The site located at hxxp://www.badtouchyonqysm3(.)onion/ was asking for 600 BTC or $2.5million USD by way of ransom. Surprisingly this site didn’t last long and was promptly taken down by the hosting company. Probably because it was a law enforcement magnet.

It has since been taken down:

More recently, last week we found traces of a new site. Web content on Pastebin and mentioned on Krypt3ia pointed towards yet another Dark Web portal offering access to the Equifax data. Dubbed ‘Equihax’ and using an appropriate URL of hxxp://equihxbdrjn5czx2(.)onion/ the new site offers a new pricing structure asking for 4 BTC per 1 million records. Equihax is taking payment via two declared cryptocurrencies. Current research would suggest that neither of these wallets have received any transactions and their current balance is nil. They offer a few supporting screenshots that provide dubious support. These may be collated from previous intrusions or scanning adventures. Equifax itself should be in a position to identify its own named assets if legitimate.