Mysterious cloudflare.works and eager.works domains

While checking on my site report for google adsense, I came upon this mysterious “cloudflare.works” domain coming up in the referral traffic.

cloudflare.works in AdSense Site Report

The site was only showing up as a couple hits a month. Upon attempting to visit any of the displayed subdomains, I’m presented with a message:

This may not be the page you're expecting (request failed security checks).

The site seems to host a variety of content including some miscellaneous javascript code, apparent court case documents and a cloudflare developer tos page.

    The eager.works domain is used to help users of <a href="https://eager.io">Eager</a> test apps.  Contact       <a href="mailto:help@eager.io">help@eager.io</a> with any questions or concerns.
eager.works domain reference found on cloudflare.works/files/

My guess is these referrals are being generated from automated or manual reviews of websites by developers using cloudflare’s new app platform.

I have installed and uninstalled several apps, reporting some as not functioning properly.  Have you had traffic from similar subdomains on your site?

OnionScan –help – Usage, Flags and Command Examples

Command Examples:

Having trouble? You can also run the web-version of onionscan at onionscan.io
Run without OnionScan Correlations Lab

./onionscan --timeout 60 --fingerprint  --depth 2 --verbose --webport 0 examplesite.onion

Basic Scan with Correlations Lab Running on http://localhost:8080/

./onionscan examplesite.onion

Help Printout:

$ ./onionscan
Usage of ./onionscan:
    onionscan [flags] hiddenservice | onionscan [flags] --list list | onionscan --mode analysis
  -batch int
        number of onions to scan concurrently (default 10)
  -cookie string
        if provided, onionscan will use this cookie
  -crawlconfigdir string
        A directory where crawl configurations are stored
  -dbdir string
        The directory where the crawl database will be 
        stored (default "./onionscandb")
  -depth int
        depth of directory scan recursion (default: 100) (default 100)
  -fingerprint
        true disables some deeper scans e.g. directory probing with the 
        aim of just getting a fingerprint of the service. (default true)
  -jsonReport
        print out a json report providing a detailed report of the scan.
  -jsonSimpleReport
        print out a simple report as json, false by default
  -list string
        If provided OnionScan will attempt to read from the given list, 
        rather than the provided hidden service
  -mode string
        one of scan or analysis. In analysis mode, webport must be set. 
        (default "scan")
  -reportFile string
        the file destination path for report file - if given, the prefix 
        of the file will be the scanned onion service. If not given, the report will be written to stdout
  -scans string
        a comma-separated list of scans to run e.g. web,tls,... 
        (default: run all)
  -simpleReport
        print out a simple report detailing what is wrong and how to fix it, 
        true by default (default true)
  -timeout int
        read timeout for connecting to onion services (default 120)
  -torProxyAddress string
        the address of the tor proxy to use (default "127.0.0.1:9050")
  -verbose
        print out a verbose log output of the scan
  -webport int
        if given, onionscan will expose a webserver on localhost:[port] 
        to enabled searching of the database (default 8080)

NoBing Chrome Extension Changing Names

NoBing was removed from the chrome web store after a copyright complaint from Microsoft (see below). Now relaunched as Bongle.

From: <[email protected]>
Date: Sun, Sep 10, 2017 at 5:42 PM
Subject: [7-1658000018900] Chrome Web Store Takedown Notice

Hi,

Google was notified that some of your materials allegedly infringe upon the trademarks of others, the details of the removed extension may be found at the end of this message.

Please note that repeated violations may result in a suspension of your Chrome Web Store Publisher account. If you have any further concerns about this issue, please address them directly to the complainant in the Trademark Infringement Notice provided.

The affected extension(s) are listed below:
https://chrome.google.com/webstore/detail/nobing/gbnjfjhjjemhhfhhdeojkhpjjliaidpfRegards,
The Chrome Web Store Team

On 08/14/17 18:27:22 [email protected]appdetex.com wrote:

full_name: Alexis Meghrouni Rivas {Submitted by AppDetex}
your_title: Director, Enforcement Strategies and Services
companyname: Microsoft Corporation
address: 501 W. Grove Street
Boise
ID
83702
UScountry_residence: US
contact_email_noprefill: [email protected]appdetex.com
phone: 8722402777
trademark_relationship: Note: AppDetex is authorized by Microsoft
Corporation to facilitate the submission of and correspondence regarding
complaints.

tm_work: BING 2008/26333: ZA 2008/26332: ZA BING 2008/26334: ZA 2008/26335:
ZA BING IR 996797: CH IR 996700: CH BING 2008/26331: ZA 2013/15673: ZA BING
228425: EG 228426: EG BING IR 996700: SG IR 996797: SG BING IR 1171876:
SG,CH BING 1641400: TW TN/E/2013/1081: TN BING 9/1/12: EC IR 996700: TR
BING IR 996797: TR IR 1171876: UA BING IR 1171876: TR 46975: TT BING
BOR46697: TH 1383046: TW BING 1378808: TW IR 1171876: WO BING BOR 46695: TH
BOR46696: TH BING 228427: EG 15 Book 225: SV BING 165426: GT 193689: GT
BING 165423: GT 165427: GT BING IR 1171876: PH 4-2009-2253: PH BING 198768:
GT 57278: PE BING 204996: PE 199089: GT BING 83129: PE 57276: PE BING
57277: PE 82295: QA BING 82296: QA IR 1171876: RU BING IR 996797: RU
1232/92: SA BING 1232/93: SA 1232/94: SA BING IR 996700: RU IR 996797: RO
BING 82298: QA 82297: QA BING 82299: QA 82300: QA BING IR 996700: RO
126683: AE BING 161169: AE 159655-C: BO BING 159654-C: BO 159656-C: BO BING
159657-C: BO 388741: CO BING IR 996700: EM 159658-C: BO BING I
trademark_explain: The app uses the trademarks of Microsoft Corporation
without authorization. In this instance, the app uses “Bing” in the title
and “Bing” imagery in the icon.

infringing_location:
https://chrome.google.com/webstore/detail/nobing/gbnjfjhjjemhhfhhdeojkhpjjliaidpf
tm_sworn_statement1: tm_good_faith
tm_sworn_statement2: tm_swear
NoticeToDeveloper: agree1
signature_date: 8/14/17
signature: Alexis Meghrouni Rivas {Submitted by AppDetex}
subject_lr_trademark: Your Request to Google
hidden_product: chromewebstoreextensionsgallery
geolocation: US

:—- Automatically added fields —-:
Language: en
IIILanguage: en
country_code: US
auto-helpcenter-id: 1647639
auto-helpcenter-name: legal
auto-internal-helpcenter-name: legal
auto-full-url:
https://support.google.com/legal/contact/lr_trademark?product=chromewebstoreextensionsgallery
auto-user-logged-in: false
auto-user-was-internal: false
IssueType: lr_trademark
form-id: lr_trademark
form: lr_trademark
subject-line-field-id: subject_lr_trademark
body-text-field-id:
AutoDetectedBrowser: Chrome 45.0.2454.101
AutoDetectedOS: Intel Mac OS X 10_11_0
MendelExperiments: 10800027,10800108,10800141,10800161,10800169
Form.support-content-visit-id: 0-636383500115619980-1101090361

equihxbdrjn5czx2.onion Another Equifax Hack Tor Site

Another darknet site has popped up for the equifax hack, although no large data samples have been provided to give us convincing proof the site is real, they do provide some alleged screenshots of internal equifax management systems.

As a “Sample” of the data, they provide the SSN, DOB, and address of Donald Trump, Kim Kardashian, and Bill Gates – although this data is hardly proof as you can find all the information on these three people publically in google.

The sample screenshots appear to be taken by a Mac.

 

The Ethereum and Bitcoin addresses provided for the ransom have not received any payments as of yet:

https://etherscan.io/address/0x8D992F58f3887cCD72A14FE29aD22Ed0789f70Ef

https://blockchain.info/address/1KELNpR9ECN46QaNGxPhoJDL4iqaa7Hgch

The email provided, EQUIHAX AT PROTONMAIL.COM, has been reported to ProtonMail’s abuse team.

PGP Key given on the site:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFm4OK8BEADaaP8xnUpFEE1YJlVR5klWHV47nTx4KxwmULMNlWkLc3y5HXlf
f1mJOMAs5Iad+/R/klcx7724Nt6rGCNyHosbUHVD4lPKf3+ogF/WHOly1Lnmuelf
k4biDT8UpmajsTN2F+aUpJWNFmIELPDXijbRTFMDLeWirJW75J48vfmTAcbLH1AZ
TqO5vNbLuR95lIu1d7S+gFUy8gpNfAejHtP4yRzZvcSSQHTTKcK8bxdyXfGvLAn6
jKqDcPG9aoCd9r0zxn2LSvJ1gKE41ikhflypE+maNxl6L7cgcnwPw4WCN3DdZFoi
o/bCuL8POZILaAe3xgiUoKcdgonAVZ1Y6J9QEXU6AwoMbGMLViScd7zwNWSx11uO
+NrHQLCOabtrtMndn/jhLkd+m+mZCfDdJejXwkJV9RYq/Q+1C7IsE0qsYLnUvQsE
U/vBaUtAyQdvvRC1SguyGs6pdpF88c+qi18d4at82Hu+p6AFEyoiOXwI+a/E6Fz2
yhDvF1UxRQREsRfguhv7uimpawzDaqhOXJptV53v+8oag54089t9NIn8DyCjOm3x
+DkUAJY0+Zes3tLQNolSDyAfEjTbs6n9TGtXYiO1pMX2OHXahUn+/cXF6+YS80RM
CgWz54wEKSD9Z4O0y6ZRn/gr/3xKQZvDY1M8r25bdKycZTFV/2t3qAL5EwARAQAB
tCBFcXVpaGF4IDxlcXVpaGF4QHByb3Rvbm1haWwuY29tPokCPgQTAQIAKAUCWbg4
rwIbAwUJACeNAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQRzLv2DrOFtcn
SQ//eJZCCF+L/nItmi9i36jnyYolFB3HjShZ/cKF+JzNfPfOOM/r9SCiUlTPd5MD
wrmG4HKY97n2EE4Iq36wXyDJOEkyJgH4gxiKtjUYhfhxnWKPaF/pfJxMQCKJ47az
rvnN7z/Z1CjB/xNBJPVc4iS2qTt6OM+Ted11VdmLiGGKAjevyCQH0mz16R5SljCg
wwdmHFHGozFy7k23dd0mmbgL0YTu+Rka17eugp/rBAfMoIF6UMc1eakuLcJpl08w
744z6jNEjt0xAXi/eLIkNxrG7wAfBcjpFpPIFckena3Y3Fp+6n+LSjemVvfSp00m
FFBOog5+2L4Hab4b7KglmM1LiOibIJWOTvvCe3MD8puzmJCmEmVUaD41vnQSkGqR
xLMkcF0BW+u1ThA8iuvqNe/wvRJQvgpSi7kDr8bTdGnk1JXyx4cP1jRdJolEcnJQ
Qw1TL7Uoztj8FgUZhmmiLxfSUY3EeFbE/RoYhIzN7G7s1cK28v+zeVx61Tq85Iyx
Q4/tbS9DfwS4Oc7bdCdTFt+FPkp4v4ikyk8qv9hdyJCKYAjtDkVjaMsKGilv2jvs
PgrWk0G1JPkGxZPJYmhIKM4lWsdb7+A6LIccjKZaA6kIg1JYt4YbGKgJwDvBpZ8Q
bRTvoBo45a605LCDdgb2JX50a7rCOsqNnxoFIme1CCZnDde5Ag0EWbg4rwEQAMMz
gXvpbH1NAmGFSMNYMXzuaURQuF3RlyzwxVFYQLg9ot+pmBJsvGFGO77a1itfbXFP
WLhJtuMzbuRHyh6qaFv0mhFANxXUvD+2wLNXJs5KiPZrMLH8WEn1E9RAaAQKLgkh
a2oQgo5UF2zlp+9IZ6YCllaUkCGWR7GaKvwz6IKpvHpb8IZ89WKj25iuP2/nIycJ
0sRHArSxc+pQ4ZjFS1xOm2Mt5bLLq4keW4OK9qwXjVge5e7G0eG+p3gxraT4Eman
5uIM53R25sKBXI9gh+TRZNtVdA++aiihnCRwWmjLdnTuV+rrSXWIkxMXbeQeDryL
aM+3UgH9oNfKt5hZYydqc0t4DhYX1oHyiWCGuqQ4w3gbWZUG4h1XjbevoohZMw3x
qf/j9gomr73hCino5kC1PTh+Q43s2E5fxgYWk4l3GrcBnvSnPiUjiWKvrTYxiGbB
ibu3YEg3MS6KP0ICBOnVhWRyG0RvFEbgvhcDkD+ojQylRccgekZJGMbSDeht/Rcq
1ctVSeTBeGUmkOC5r2e9nDIaIwj2J1cB6WpIBt5GU9HAcvwpq41UEBQQDNR03liv
hfb80F61JP+IEo5HQa93u7a+fVsuFnYJCfKDIfQzB1hBFPZjEACl7jN7JTYVTAzQ
MNwmMo4kidHZ15fZxVlAjdvqcZdM/eeosL2zXIvJABEBAAGJAiUEGAECAA8FAlm4
OK8CGwwFCQAnjQAACgkQRzLv2DrOFtfrNxAAvMhdnhGhM8twnyA/SQyNxgjpa2A1
XVkbdtN8K+FSsvFJ5DPrXYotaoyziAkKlrWrLyjAgsmuYXyNEQrufo2UbQVyqlcv
/WqYAbZNrRdiXRyTNQCtRim312mYCv1wdB28kSQRiFfI3BfGN3TWfzNN6pN05ymo
4z8AmCfUALMYFiehECQK8c1tF8cKxzu5guPkpgrrSs7X8YPapSY+mtWkUbn/By4l
2O3BNvp8LMh3pfRI6fyaHY7nVNaN/QbWfONqJ5kqDSIixu++tvWxzv45b04sjZJY
miJkyxVqqVfSddFxeAEyTZXMMm1oGGBCm69bFIzSsvBRt5gs6295Z1jxd1ZPWIGM
RKW5qpFGALj8+6qobRLEPu8T/RBUWUXmehX7HYIP/WBEkyDwf5cYwDuPQnKtyqPE
ODpkh6019/KzNwydg9Z90GpRzXHrBDEsk0eQiyRocSCKH+z8Jn8+qNnjvDvVxcl1
t8uKY19ggkbjN6zkesb4ta9B3FNP2BEod5n0HOTXiMp6fgdMDNrR39//sZY/c/4v
VN2ATU5Hd2H7yaGD5YJUBFjld4vy7L4MJTkAoT0Yun1RLle8pTKTa9dVw9mCofUE
YxMFYJjB1cd2nohXCfejmL7H8pXUxk3qzCRuQCq72/1sFk+svlljlVlGC0ojDYc/
d0A/mEK67UFQ7KA=
=VAaR
-----END PGP PUBLIC KEY BLOCK-----

PastHole Hacking Team

The PastHole hacking team is the hacking group claiming responsibility for the 2017 Equifax data breach – affecting nearly half of the US population.

Their only contact with the outside world has been through their ransom request site badtouchyonqysm3.onion as well as their anonymous email [email protected].

The group may have a Russian origin based off the tag “Оборудование для взлома” added to the bottom of one of their email responses.

 

onionscan Cannot connect to Tor proxy, is the –torProxyAddress setting correct?

Trying to run onionscan, but encountering the error
Cannot connect to Tor proxy, is the --torProxyAddress setting correct?

Simply get the latest tor browser running on your machine and add the following proxy:

–torProxyAddress 127.0.0.1:9150

The latest tor runs on your local machine at port 9150. This flag instructs onionscan to use that as the proxy.

Example command:

onionscan –torProxyAddress 127.0.0.1:9150 –verbose targetsite.onion

Attachment: signature.asc

The PGP Signature attached to the equifax hack response email.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZsztpAAoJEAhZPbtpB0Q42DIQANIKD/Z3hCD3JeYC1LraZA8m
p5ZfR+Nfju6QimXG8LwKg893P97UwXkFO5BzVvsPVHJq1k5P1mCTlN/wGXi31Nfn
MLkbZhQR/glGx3F7Tb+Fe17DO5YzW75Epaa8eAqgLf2I9ULG5RrdsqfoU4ACZ3Lu
7pFOjF+2PtmfkMaEG8UIZv6HPOuS7S1maPP9sq6MQncwPufwrNkB7vKHYK/zsVLY
07tPQIRXEFOecBPt0R26+/MLCffGlwqKva6TN8yusbjixB151ap9FAFKdFlPS7hA
whTbMpgLUK+o8LgNBpcfPaI9zgPOkNUH4BOWCtRj6CxzoeYVMx04ox0Lj/GuRyRH
fQzilr9yI7Svv42PHCIVTPUE5xsAcfl1pQA55oESa5AzHrxSnqDCtNsWEdsyHElK
4yiva+DDQ8/gd1p929YaKV96ler4L/2Rn0e1vIuHQvUE2e/HCLPxj8AcWfijYguY
uHV1yg8FBlrPk9ulugC1F5GXSskK79i1waQjsFIAHJ6eXM2OaaKnT9hHP/C1/RYz
OpLJkNb5AJPLhsgDu2LIdI/7fH2EbUJkal33LeuwBF+EbYCpWCq3Oq4bRyIK1P8X
UVo/izmPV43vIai3v+s/D63MZsWwnKU/0cXp4lz0T5HxDJ+UUIjWr2kVrSvqxO6M
tgE4BlgJazrfGVHeiBQ1
=FQKA
-----END PGP SIGNATURE-----

Complete PGPKey posted on their contact page:

-----BEGIN PGP PUBLIC KEY BLOCK----- 
mQINBFmyEqUBEADbLJpJmOAd0jQ8YesV4rEcnRqViKoM3Rxf+0TBC8R2PQCR/Pb+ WoXDdU1YRDckDkaGxzcgHKAXEBU3e7+kisu3cI51WX3FJyne+euE/j+oy3UJEGvH VlZqiO3T6zvENj1xjtNKxvCXGr3lOclKKjIh4XXrgV8oZDV628pTW6NvMDr6zLqc YI5gGYiccmE0SpnFainObqp7LgNY5wO0gPzojeUnmV+EK67cBQOO9/YrbpynjDq1 QzPNFmEVbeVJRx+BGq8k5cVA17fONF0K5t2BXhs07oUxyfj6cp5Or4OAzxMi3PMC a3EKDkNp4FErkcFcTtHNobrT/DJf5t7jLTe4ZmJa88YTLsRO7ZY0P7puFRIpwDJw T2M+cl985Rr2IKoUmtidjRn71DhFj2E8taxfRs+ZEbwKHV2nHAp1ddTw2BDAhWvO KOYvvSDzxUOQrf9B5+NrWIydxYPWX3x1laYfwZZwoM4NB340bULnyCh33GTgRikn ldXefluKpbtBduFBIW5XSBjGoRVRcny7a/zqFqa46r/dlf3rA2P+oYCBNSVhmMs7 bZyVjWrS5tKPR6NIH8isR4inO6rVUWHp55K1iCmXAAClD/0ytgjuLoBTOWuoXk+P DBpgjqAeRDcDaypIYphANvaSod6EVk6V/nqJYLN+fMPr65JmXllE2ODtswARAQAB tC9QYXN0aG9sZSA8cGFzdGhvbGVAbmF0aW9uYWwuc2hpdHBvc3RpbmcuYWdlbmN5 PokCPwQTAQgAKQUCWbISpQIbIwUJDShogAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B AheAAAoJEAhZPbtpB0Q4D/YP/R2vdxS8Jh8d065KGxWsFbPSLj1+/Jyo6F8VT6KD ChswUM2ICBeXjFpx/OwZpjLDRO+t69MtrdtOKI6dazDCc6DtEMMoi/eDrjPC1Cj7 pqF3FcI+VPlfpF+SYJoeRlmwwb8qsWrqcB222kEZgb2T8TpmADFqq7d8j+HKV+LZ HZ+9byccFZoVMyMiw9wVIzF981t7z2yTMOb4NWIuVrw3NTXHWauYSfsM7wr0xZpZ 4WWqo8RpBjxCwjcR1wFVpoZ8e2zd8qRdfqHaxR6hLwZ3Dx3POFRWbJd/ftsdLnlD lgpg4O5dC+BWjxJk8d6SCs8BUzczJPGqsaJd7wKGSyUP7//BJSLwBh3ybeY08R7L aWs/vvohL6ZoBkBmOMxJod/K5YQnmyPK+jahL4QrtFNKYwRHq67EeLDSeLD5ZK+b 6b9u1dDjwjwV8suh4v96+y5Oz5SdBGfE8B3078hm89kE1sfzjQHnYp4FuBGCZ3LZ 4BBAlqIfj2zbPcqmlc7QGudUmWNp89B4yF7DfD8bpybMiHkBWiyYgDNjDn/vSHMI Id8ZN6zNN4Raxk+ikRrk79gVDUcjax+wF6WuDIJbKl2DwJk+bvQ+bNPqrNYmCgyv qW7B+ni3t/i1K+nwNOJj+jVPplC9T31ePs1KEKJAt5xYSVwqtL9Zfxn9IH5gj4nl wcwCuQINBFmyEqUBEADfgeCn8MPl5EvFDvfWyLT7yQqoulhM87oWQT+vnItYxLou l5wdtC1dtp5HEtCiwdpc4+CPWxIWD33RZQliKOUWGKX8zairP0Ki1CzqjrKYFDXA XvuIhxALGi2Qd0PuNhWFrBsl7YvzWZ6Uw0Gr4FgUfPpCwTAaAoLFZwlUW9p/tbpX fmpTAeefArQrSVLxolH/45MIyHDYzFysT8xVVU4uboPFRpKi1sLtrU8plUSBOHLa IDpXNJAp1KS6vWIF8T8rmzvDUKv3ReIoNXaiPTzySKamkA4OEA7Y7ZuuM/G7fq5N s7Feg8uVbIaplFqhbqLCPrFkwcA0sdDkYDilAOWL5srJSRUyNsusq6Xih7S5hS4y U6pG0T1cXhUAcz0/HrQxIj+MyVOPDWJsdj9Z1/6oRIcHdblg66xYhKYD7jvgY5+f nDe4KeG24KaIQ2gwinnWHw333kvQjJHcKOGQUFq6nMjYV9TUFR1A76Gu93RrZwT8 cre+E7PUq5rkV2feI2KlQRJ96sLtmtfmXaibOwg9LfbKeaNF6edau1kYqL/RWzSx R2C4sPgh5HPod5D5GB6Lzojj4fhruvJQeFFoBQLZ1b4cQMYKVnTtBt4+fZefjZbb xkmjCR4QJAVukJSX/F4MjxyPsGA4uDLluD/cHpMOL44lmyYUNaU437Ng0MFteQAR AQABiQIlBBgBCAAPBQJZshKlAhsMBQkNKGiAAAoJEAhZPbtpB0Q4FekQALLtAqfS lJhzMVOjg9Jt+MTPqFdUuo38oGBwiakmtHVG+3MuwdspR25yfsV2O9UwCAu6tnGJ IIcVtZIIuOhkqPEJSTzCmkdz7SRUpV1aj9tC4AbkLjX5tQYjhupTsyEt5+gYUYTz XoggdEF/TOPGVelj/o5ZUhLUdzwC6y4Y8QY8A0mHSWhuB05UfDexheHjC7At5CbI /aEoAX9BsLlc+Im3FnqyIhiHPw+qQ0P1op+/oKuKwjiZOaV7/Amh3sbnznEReDP/ oMmhl1TFpV5C45Ltcgj4uBHnVAhYEXdom400aNpqzv2SqQlDLAYwCFD9/5HHW41l 09ea2zomNubArvtsxtn5ohYvd3yBkutqW7iOW1Rs3KaBasvDMJQ07RLIJO0WOTVc MNMML2lodaRABgWEl4tV9xLpHs5T1mQx4sUBaHXvqIwuGcQsOP7cRZuWMkDJoT4y UnFxirzkF6D/7LyBp62Tyr5pii/MXAguobvguZ4pcgELha6Az8spgZPNu4gaTLGN dgAPqerDEa6lPoJv+CN1QQKwx8IMHUTy/Rv9xAjoK5SwDYkABDDIO5AxDdNEknL/ sk2MkYI9+fQKWhd+rWKQL729Nsfh8cuJPxiXkVBvpRQmW0w9EJOJSKNKALLBaETN AVfiMbveYrLw7iso104OHi76zBnHcTN+JfnU =ECQC
-----END PGP PUBLIC KEY BLOCK-----

An email from the Russian Equifax Hackers

I emailed the Equifax hackers at the email posted on their darknet site and they responded with the following:

We are processing information is not a single file and we must still
unite which data correspond to which people.

We are not going to give interviews.

We do not have expectations to collect anything so that on the 15th
everything will be published except the credit cards.

09/15 at 4pm UTC


PastHole
Оборудование для взлома

Note the Russian signature, loosely translated by Google translate to: “Equipment for hacking”. A quick google search says the name may have to do with Wardriving – an old technique for picking up insecure wifi for mobile roaming wifi. It is rather presumptuous to say they’re a Russian hacking group, but the Russian signature does raise an eyebrow.

The email is signed with their PGP signature.

[email protected] Equifax Hacker Email Address from badtouchyonqysm3.onion

The alleged equifax hackers have posted a contact email address of [email protected]

Despite its similarity, this email address is unaffiliated with the domain: https://nationalshitposting.agency/

The domain the email address is registered to, shitposting.agency was made under a private registration on 2015-03-07, far before the equifax hack took place.

shitposting.agency is a disposable email domain

I’ve sent an email to this address and verified it is working -delivered after 1 attempt.

    "delivery-status": {
        "tls": true,
        "mx-host": "mx1.cock.li",
        "attempt-no": 1,
        "description": "",
        "session-seconds": 1.7955520153045654,
        "code": 250,
        "message": "OK",
        "certificate-verified": true
    },