An email from the Russian Equifax Hackers

I emailed the Equifax hackers at the email posted on their darknet site and they responded with the following:

We are processing information is not a single file and we must still
unite which data correspond to which people.

We are not going to give interviews.

We do not have expectations to collect anything so that on the 15th
everything will be published except the credit cards.

09/15 at 4pm UTC


PastHole
Оборудование для взлома

Note the Russian signature, loosely translated by Google translate to: “Equipment for hacking”. A quick google search says the name may have to do with Wardriving – an old technique for picking up insecure wifi for mobile roaming wifi. It is rather presumptuous to say they’re a Russian hacking group, but the Russian signature does raise an eyebrow.

The email is signed with their PGP signature.

Adsense Auto Ads with Regular Ads

After seeing Adsense Auto Ads beta feature pop up on my account, I was excited to jump right in. I did, however, worry adsense would be too conservative in placing ads or just not place the right type of ads for my site. In an effort to not have a couple day drop of a good chunk of revenue, I simply placed the auto-ad code in along with the existing ads on my site.

Auto Ads Setup Screen

I will be monitoring the performance closely and may remove the hard-coded ads to see if performance keeps up.

Set up Auto ads on your site

Copy and paste this code in between the <head> tags of your site. It’s the same code for all your pages. You don’t need to change it even if you change your global preferences. See our code implementation guide for more details.
For those of you looking to get started with auto-ads, you may be able to place the following code onto your site (with your own publisher-id).
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
 (adsbygoogle = window.adsbygoogle || []).push({
 google_ad_client: "ca-pub-0545639743190253",
 enable_page_level_ads: true
 });
</script>

The auto-ads management page can be found at:

https://www.google.com/adsense/new/u/0/pub-0545639743190253/myads/auto-ads

but since the program is still in beta, many users don’t have access yet.

UPDATE:

Google also has the Auto Ads for AMP pages, in their documentation for the AMP implementation,  things are set out more clearly:

 

NoBing Chrome Extension Changing Names

NoBing was removed from the chrome web store after a copyright complaint from Microsoft (see below). Now relaunched as Bongle.

From: <[email protected]>
Date: Sun, Sep 10, 2017 at 5:42 PM
Subject: [7-1658000018900] Chrome Web Store Takedown Notice

Hi,

Google was notified that some of your materials allegedly infringe upon the trademarks of others, the details of the removed extension may be found at the end of this message.

Please note that repeated violations may result in a suspension of your Chrome Web Store Publisher account. If you have any further concerns about this issue, please address them directly to the complainant in the Trademark Infringement Notice provided.

The affected extension(s) are listed below:
https://chrome.google.com/webstore/detail/nobing/gbnjfjhjjemhhfhhdeojkhpjjliaidpfRegards,
The Chrome Web Store Team

On 08/14/17 18:27:22 [email protected]appdetex.com wrote:

full_name: Alexis Meghrouni Rivas {Submitted by AppDetex}
your_title: Director, Enforcement Strategies and Services
companyname: Microsoft Corporation
address: 501 W. Grove Street
Boise
ID
83702
UScountry_residence: US
contact_email_noprefill: [email protected]appdetex.com
phone: 8722402777
trademark_relationship: Note: AppDetex is authorized by Microsoft
Corporation to facilitate the submission of and correspondence regarding
complaints.

tm_work: BING 2008/26333: ZA 2008/26332: ZA BING 2008/26334: ZA 2008/26335:
ZA BING IR 996797: CH IR 996700: CH BING 2008/26331: ZA 2013/15673: ZA BING
228425: EG 228426: EG BING IR 996700: SG IR 996797: SG BING IR 1171876:
SG,CH BING 1641400: TW TN/E/2013/1081: TN BING 9/1/12: EC IR 996700: TR
BING IR 996797: TR IR 1171876: UA BING IR 1171876: TR 46975: TT BING
BOR46697: TH 1383046: TW BING 1378808: TW IR 1171876: WO BING BOR 46695: TH
BOR46696: TH BING 228427: EG 15 Book 225: SV BING 165426: GT 193689: GT
BING 165423: GT 165427: GT BING IR 1171876: PH 4-2009-2253: PH BING 198768:
GT 57278: PE BING 204996: PE 199089: GT BING 83129: PE 57276: PE BING
57277: PE 82295: QA BING 82296: QA IR 1171876: RU BING IR 996797: RU
1232/92: SA BING 1232/93: SA 1232/94: SA BING IR 996700: RU IR 996797: RO
BING 82298: QA 82297: QA BING 82299: QA 82300: QA BING IR 996700: RO
126683: AE BING 161169: AE 159655-C: BO BING 159654-C: BO 159656-C: BO BING
159657-C: BO 388741: CO BING IR 996700: EM 159658-C: BO BING I
trademark_explain: The app uses the trademarks of Microsoft Corporation
without authorization. In this instance, the app uses “Bing” in the title
and “Bing” imagery in the icon.

infringing_location:
https://chrome.google.com/webstore/detail/nobing/gbnjfjhjjemhhfhhdeojkhpjjliaidpf
tm_sworn_statement1: tm_good_faith
tm_sworn_statement2: tm_swear
NoticeToDeveloper: agree1
signature_date: 8/14/17
signature: Alexis Meghrouni Rivas {Submitted by AppDetex}
subject_lr_trademark: Your Request to Google
hidden_product: chromewebstoreextensionsgallery
geolocation: US

:—- Automatically added fields —-:
Language: en
IIILanguage: en
country_code: US
auto-helpcenter-id: 1647639
auto-helpcenter-name: legal
auto-internal-helpcenter-name: legal
auto-full-url:
https://support.google.com/legal/contact/lr_trademark?product=chromewebstoreextensionsgallery
auto-user-logged-in: false
auto-user-was-internal: false
IssueType: lr_trademark
form-id: lr_trademark
form: lr_trademark
subject-line-field-id: subject_lr_trademark
body-text-field-id:
AutoDetectedBrowser: Chrome 45.0.2454.101
AutoDetectedOS: Intel Mac OS X 10_11_0
MendelExperiments: 10800027,10800108,10800141,10800161,10800169
Form.support-content-visit-id: 0-636383500115619980-1101090361

Bongle – The NoBing Extension (Redirect Bing->Google Search)

NoBing has been relaunched as Bongle after a copyright complaint by Microsoft.

NoBing is a simple tool to allow you to have the look of bing while simultaneously giving you the search results of google.

Find Bongle in the chrome web store here.

Questions, comments, and requests can be made below!

equihxbdrjn5czx2.onion Another Equifax Hack Tor Site

Another darknet site has popped up for the equifax hack, although no large data samples have been provided to give us convincing proof the site is real, they do provide some alleged screenshots of internal equifax management systems.

As a “Sample” of the data, they provide the SSN, DOB, and address of Donald Trump, Kim Kardashian, and Bill Gates – although this data is hardly proof as you can find all the information on these three people publically in google.

The sample screenshots appear to be taken by a Mac.

 

The Ethereum and Bitcoin addresses provided for the ransom have not received any payments as of yet:

https://etherscan.io/address/0x8D992F58f3887cCD72A14FE29aD22Ed0789f70Ef

https://blockchain.info/address/1KELNpR9ECN46QaNGxPhoJDL4iqaa7Hgch

The email provided, EQUIHAX AT PROTONMAIL.COM, has been reported to ProtonMail’s abuse team.

PGP Key given on the site:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFm4OK8BEADaaP8xnUpFEE1YJlVR5klWHV47nTx4KxwmULMNlWkLc3y5HXlf
f1mJOMAs5Iad+/R/klcx7724Nt6rGCNyHosbUHVD4lPKf3+ogF/WHOly1Lnmuelf
k4biDT8UpmajsTN2F+aUpJWNFmIELPDXijbRTFMDLeWirJW75J48vfmTAcbLH1AZ
TqO5vNbLuR95lIu1d7S+gFUy8gpNfAejHtP4yRzZvcSSQHTTKcK8bxdyXfGvLAn6
jKqDcPG9aoCd9r0zxn2LSvJ1gKE41ikhflypE+maNxl6L7cgcnwPw4WCN3DdZFoi
o/bCuL8POZILaAe3xgiUoKcdgonAVZ1Y6J9QEXU6AwoMbGMLViScd7zwNWSx11uO
+NrHQLCOabtrtMndn/jhLkd+m+mZCfDdJejXwkJV9RYq/Q+1C7IsE0qsYLnUvQsE
U/vBaUtAyQdvvRC1SguyGs6pdpF88c+qi18d4at82Hu+p6AFEyoiOXwI+a/E6Fz2
yhDvF1UxRQREsRfguhv7uimpawzDaqhOXJptV53v+8oag54089t9NIn8DyCjOm3x
+DkUAJY0+Zes3tLQNolSDyAfEjTbs6n9TGtXYiO1pMX2OHXahUn+/cXF6+YS80RM
CgWz54wEKSD9Z4O0y6ZRn/gr/3xKQZvDY1M8r25bdKycZTFV/2t3qAL5EwARAQAB
tCBFcXVpaGF4IDxlcXVpaGF4QHByb3Rvbm1haWwuY29tPokCPgQTAQIAKAUCWbg4
rwIbAwUJACeNAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQRzLv2DrOFtcn
SQ//eJZCCF+L/nItmi9i36jnyYolFB3HjShZ/cKF+JzNfPfOOM/r9SCiUlTPd5MD
wrmG4HKY97n2EE4Iq36wXyDJOEkyJgH4gxiKtjUYhfhxnWKPaF/pfJxMQCKJ47az
rvnN7z/Z1CjB/xNBJPVc4iS2qTt6OM+Ted11VdmLiGGKAjevyCQH0mz16R5SljCg
wwdmHFHGozFy7k23dd0mmbgL0YTu+Rka17eugp/rBAfMoIF6UMc1eakuLcJpl08w
744z6jNEjt0xAXi/eLIkNxrG7wAfBcjpFpPIFckena3Y3Fp+6n+LSjemVvfSp00m
FFBOog5+2L4Hab4b7KglmM1LiOibIJWOTvvCe3MD8puzmJCmEmVUaD41vnQSkGqR
xLMkcF0BW+u1ThA8iuvqNe/wvRJQvgpSi7kDr8bTdGnk1JXyx4cP1jRdJolEcnJQ
Qw1TL7Uoztj8FgUZhmmiLxfSUY3EeFbE/RoYhIzN7G7s1cK28v+zeVx61Tq85Iyx
Q4/tbS9DfwS4Oc7bdCdTFt+FPkp4v4ikyk8qv9hdyJCKYAjtDkVjaMsKGilv2jvs
PgrWk0G1JPkGxZPJYmhIKM4lWsdb7+A6LIccjKZaA6kIg1JYt4YbGKgJwDvBpZ8Q
bRTvoBo45a605LCDdgb2JX50a7rCOsqNnxoFIme1CCZnDde5Ag0EWbg4rwEQAMMz
gXvpbH1NAmGFSMNYMXzuaURQuF3RlyzwxVFYQLg9ot+pmBJsvGFGO77a1itfbXFP
WLhJtuMzbuRHyh6qaFv0mhFANxXUvD+2wLNXJs5KiPZrMLH8WEn1E9RAaAQKLgkh
a2oQgo5UF2zlp+9IZ6YCllaUkCGWR7GaKvwz6IKpvHpb8IZ89WKj25iuP2/nIycJ
0sRHArSxc+pQ4ZjFS1xOm2Mt5bLLq4keW4OK9qwXjVge5e7G0eG+p3gxraT4Eman
5uIM53R25sKBXI9gh+TRZNtVdA++aiihnCRwWmjLdnTuV+rrSXWIkxMXbeQeDryL
aM+3UgH9oNfKt5hZYydqc0t4DhYX1oHyiWCGuqQ4w3gbWZUG4h1XjbevoohZMw3x
qf/j9gomr73hCino5kC1PTh+Q43s2E5fxgYWk4l3GrcBnvSnPiUjiWKvrTYxiGbB
ibu3YEg3MS6KP0ICBOnVhWRyG0RvFEbgvhcDkD+ojQylRccgekZJGMbSDeht/Rcq
1ctVSeTBeGUmkOC5r2e9nDIaIwj2J1cB6WpIBt5GU9HAcvwpq41UEBQQDNR03liv
hfb80F61JP+IEo5HQa93u7a+fVsuFnYJCfKDIfQzB1hBFPZjEACl7jN7JTYVTAzQ
MNwmMo4kidHZ15fZxVlAjdvqcZdM/eeosL2zXIvJABEBAAGJAiUEGAECAA8FAlm4
OK8CGwwFCQAnjQAACgkQRzLv2DrOFtfrNxAAvMhdnhGhM8twnyA/SQyNxgjpa2A1
XVkbdtN8K+FSsvFJ5DPrXYotaoyziAkKlrWrLyjAgsmuYXyNEQrufo2UbQVyqlcv
/WqYAbZNrRdiXRyTNQCtRim312mYCv1wdB28kSQRiFfI3BfGN3TWfzNN6pN05ymo
4z8AmCfUALMYFiehECQK8c1tF8cKxzu5guPkpgrrSs7X8YPapSY+mtWkUbn/By4l
2O3BNvp8LMh3pfRI6fyaHY7nVNaN/QbWfONqJ5kqDSIixu++tvWxzv45b04sjZJY
miJkyxVqqVfSddFxeAEyTZXMMm1oGGBCm69bFIzSsvBRt5gs6295Z1jxd1ZPWIGM
RKW5qpFGALj8+6qobRLEPu8T/RBUWUXmehX7HYIP/WBEkyDwf5cYwDuPQnKtyqPE
ODpkh6019/KzNwydg9Z90GpRzXHrBDEsk0eQiyRocSCKH+z8Jn8+qNnjvDvVxcl1
t8uKY19ggkbjN6zkesb4ta9B3FNP2BEod5n0HOTXiMp6fgdMDNrR39//sZY/c/4v
VN2ATU5Hd2H7yaGD5YJUBFjld4vy7L4MJTkAoT0Yun1RLle8pTKTa9dVw9mCofUE
YxMFYJjB1cd2nohXCfejmL7H8pXUxk3qzCRuQCq72/1sFk+svlljlVlGC0ojDYc/
d0A/mEK67UFQ7KA=
=VAaR
-----END PGP PUBLIC KEY BLOCK-----

PastHole Hacking Team

The PastHole hacking team is the hacking group claiming responsibility for the 2017 Equifax data breach – affecting nearly half of the US population.

Their only contact with the outside world has been through their ransom request site badtouchyonqysm3.onion as well as their anonymous email [email protected].

The group may have a Russian origin based off the tag “Оборудование для взлома” added to the bottom of one of their email responses.

 

onionscan Cannot connect to Tor proxy, is the –torProxyAddress setting correct?

Trying to run onionscan, but encountering the error
Cannot connect to Tor proxy, is the --torProxyAddress setting correct?

Simply get the latest tor browser running on your machine and add the following proxy:

–torProxyAddress 127.0.0.1:9150

The latest tor runs on your local machine at port 9150. This flag instructs onionscan to use that as the proxy.

Example command:

onionscan –torProxyAddress 127.0.0.1:9150 –verbose targetsite.onion

Attachment: signature.asc

The PGP Signature attached to the equifax hack response email.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZsztpAAoJEAhZPbtpB0Q42DIQANIKD/Z3hCD3JeYC1LraZA8m
p5ZfR+Nfju6QimXG8LwKg893P97UwXkFO5BzVvsPVHJq1k5P1mCTlN/wGXi31Nfn
MLkbZhQR/glGx3F7Tb+Fe17DO5YzW75Epaa8eAqgLf2I9ULG5RrdsqfoU4ACZ3Lu
7pFOjF+2PtmfkMaEG8UIZv6HPOuS7S1maPP9sq6MQncwPufwrNkB7vKHYK/zsVLY
07tPQIRXEFOecBPt0R26+/MLCffGlwqKva6TN8yusbjixB151ap9FAFKdFlPS7hA
whTbMpgLUK+o8LgNBpcfPaI9zgPOkNUH4BOWCtRj6CxzoeYVMx04ox0Lj/GuRyRH
fQzilr9yI7Svv42PHCIVTPUE5xsAcfl1pQA55oESa5AzHrxSnqDCtNsWEdsyHElK
4yiva+DDQ8/gd1p929YaKV96ler4L/2Rn0e1vIuHQvUE2e/HCLPxj8AcWfijYguY
uHV1yg8FBlrPk9ulugC1F5GXSskK79i1waQjsFIAHJ6eXM2OaaKnT9hHP/C1/RYz
OpLJkNb5AJPLhsgDu2LIdI/7fH2EbUJkal33LeuwBF+EbYCpWCq3Oq4bRyIK1P8X
UVo/izmPV43vIai3v+s/D63MZsWwnKU/0cXp4lz0T5HxDJ+UUIjWr2kVrSvqxO6M
tgE4BlgJazrfGVHeiBQ1
=FQKA
-----END PGP SIGNATURE-----

Complete PGPKey posted on their contact page:

-----BEGIN PGP PUBLIC KEY BLOCK----- 
mQINBFmyEqUBEADbLJpJmOAd0jQ8YesV4rEcnRqViKoM3Rxf+0TBC8R2PQCR/Pb+ WoXDdU1YRDckDkaGxzcgHKAXEBU3e7+kisu3cI51WX3FJyne+euE/j+oy3UJEGvH VlZqiO3T6zvENj1xjtNKxvCXGr3lOclKKjIh4XXrgV8oZDV628pTW6NvMDr6zLqc YI5gGYiccmE0SpnFainObqp7LgNY5wO0gPzojeUnmV+EK67cBQOO9/YrbpynjDq1 QzPNFmEVbeVJRx+BGq8k5cVA17fONF0K5t2BXhs07oUxyfj6cp5Or4OAzxMi3PMC a3EKDkNp4FErkcFcTtHNobrT/DJf5t7jLTe4ZmJa88YTLsRO7ZY0P7puFRIpwDJw T2M+cl985Rr2IKoUmtidjRn71DhFj2E8taxfRs+ZEbwKHV2nHAp1ddTw2BDAhWvO KOYvvSDzxUOQrf9B5+NrWIydxYPWX3x1laYfwZZwoM4NB340bULnyCh33GTgRikn ldXefluKpbtBduFBIW5XSBjGoRVRcny7a/zqFqa46r/dlf3rA2P+oYCBNSVhmMs7 bZyVjWrS5tKPR6NIH8isR4inO6rVUWHp55K1iCmXAAClD/0ytgjuLoBTOWuoXk+P DBpgjqAeRDcDaypIYphANvaSod6EVk6V/nqJYLN+fMPr65JmXllE2ODtswARAQAB tC9QYXN0aG9sZSA8cGFzdGhvbGVAbmF0aW9uYWwuc2hpdHBvc3RpbmcuYWdlbmN5 PokCPwQTAQgAKQUCWbISpQIbIwUJDShogAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B AheAAAoJEAhZPbtpB0Q4D/YP/R2vdxS8Jh8d065KGxWsFbPSLj1+/Jyo6F8VT6KD ChswUM2ICBeXjFpx/OwZpjLDRO+t69MtrdtOKI6dazDCc6DtEMMoi/eDrjPC1Cj7 pqF3FcI+VPlfpF+SYJoeRlmwwb8qsWrqcB222kEZgb2T8TpmADFqq7d8j+HKV+LZ HZ+9byccFZoVMyMiw9wVIzF981t7z2yTMOb4NWIuVrw3NTXHWauYSfsM7wr0xZpZ 4WWqo8RpBjxCwjcR1wFVpoZ8e2zd8qRdfqHaxR6hLwZ3Dx3POFRWbJd/ftsdLnlD lgpg4O5dC+BWjxJk8d6SCs8BUzczJPGqsaJd7wKGSyUP7//BJSLwBh3ybeY08R7L aWs/vvohL6ZoBkBmOMxJod/K5YQnmyPK+jahL4QrtFNKYwRHq67EeLDSeLD5ZK+b 6b9u1dDjwjwV8suh4v96+y5Oz5SdBGfE8B3078hm89kE1sfzjQHnYp4FuBGCZ3LZ 4BBAlqIfj2zbPcqmlc7QGudUmWNp89B4yF7DfD8bpybMiHkBWiyYgDNjDn/vSHMI Id8ZN6zNN4Raxk+ikRrk79gVDUcjax+wF6WuDIJbKl2DwJk+bvQ+bNPqrNYmCgyv qW7B+ni3t/i1K+nwNOJj+jVPplC9T31ePs1KEKJAt5xYSVwqtL9Zfxn9IH5gj4nl wcwCuQINBFmyEqUBEADfgeCn8MPl5EvFDvfWyLT7yQqoulhM87oWQT+vnItYxLou l5wdtC1dtp5HEtCiwdpc4+CPWxIWD33RZQliKOUWGKX8zairP0Ki1CzqjrKYFDXA XvuIhxALGi2Qd0PuNhWFrBsl7YvzWZ6Uw0Gr4FgUfPpCwTAaAoLFZwlUW9p/tbpX fmpTAeefArQrSVLxolH/45MIyHDYzFysT8xVVU4uboPFRpKi1sLtrU8plUSBOHLa IDpXNJAp1KS6vWIF8T8rmzvDUKv3ReIoNXaiPTzySKamkA4OEA7Y7ZuuM/G7fq5N s7Feg8uVbIaplFqhbqLCPrFkwcA0sdDkYDilAOWL5srJSRUyNsusq6Xih7S5hS4y U6pG0T1cXhUAcz0/HrQxIj+MyVOPDWJsdj9Z1/6oRIcHdblg66xYhKYD7jvgY5+f nDe4KeG24KaIQ2gwinnWHw333kvQjJHcKOGQUFq6nMjYV9TUFR1A76Gu93RrZwT8 cre+E7PUq5rkV2feI2KlQRJ96sLtmtfmXaibOwg9LfbKeaNF6edau1kYqL/RWzSx R2C4sPgh5HPod5D5GB6Lzojj4fhruvJQeFFoBQLZ1b4cQMYKVnTtBt4+fZefjZbb xkmjCR4QJAVukJSX/F4MjxyPsGA4uDLluD/cHpMOL44lmyYUNaU437Ng0MFteQAR AQABiQIlBBgBCAAPBQJZshKlAhsMBQkNKGiAAAoJEAhZPbtpB0Q4FekQALLtAqfS lJhzMVOjg9Jt+MTPqFdUuo38oGBwiakmtHVG+3MuwdspR25yfsV2O9UwCAu6tnGJ IIcVtZIIuOhkqPEJSTzCmkdz7SRUpV1aj9tC4AbkLjX5tQYjhupTsyEt5+gYUYTz XoggdEF/TOPGVelj/o5ZUhLUdzwC6y4Y8QY8A0mHSWhuB05UfDexheHjC7At5CbI /aEoAX9BsLlc+Im3FnqyIhiHPw+qQ0P1op+/oKuKwjiZOaV7/Amh3sbnznEReDP/ oMmhl1TFpV5C45Ltcgj4uBHnVAhYEXdom400aNpqzv2SqQlDLAYwCFD9/5HHW41l 09ea2zomNubArvtsxtn5ohYvd3yBkutqW7iOW1Rs3KaBasvDMJQ07RLIJO0WOTVc MNMML2lodaRABgWEl4tV9xLpHs5T1mQx4sUBaHXvqIwuGcQsOP7cRZuWMkDJoT4y UnFxirzkF6D/7LyBp62Tyr5pii/MXAguobvguZ4pcgELha6Az8spgZPNu4gaTLGN dgAPqerDEa6lPoJv+CN1QQKwx8IMHUTy/Rv9xAjoK5SwDYkABDDIO5AxDdNEknL/ sk2MkYI9+fQKWhd+rWKQL729Nsfh8cuJPxiXkVBvpRQmW0w9EJOJSKNKALLBaETN AVfiMbveYrLw7iso104OHi76zBnHcTN+JfnU =ECQC
-----END PGP PUBLIC KEY BLOCK-----