Equifax on the darknet

Could darknet monitoring have prevented Equifax from becoming "equihax"?

Late last week, we learned the largest U.S. credit bureau, Equifax, had been significantly hacked resulting in the breach of the names, social security numbers, and personally identifiable information for over 143 million Americans. The incident, which the internet has since dubbed the "equihax" immediately led to widespread confusion and concern.

Can you trust Equifax’s security site (equifaxsecurity2017.com) - that requires you to simply enter the last six-digits of your social security number - to check if your name was included in the breach? Should you use their service to sign up for your year of free credit monitoring?  Who do you contact to be included in the $25,000 per victim massive class action lawsuit that is being formulated against them? 

And, what does the darknet have to do with it?


Equifax data has been on the darknet for months

As experts in darknet intelligence, our analysts immediately took to our darknet database tool, DarkOwl Vision, to perform a search of any relevant data that might provide insight into the equihax. What we found was evidence of Equifax credentials on a Russian darknet site, dating back an unknown period of time. DarkOwl Vision search results also showed Equifax data listed for sale on another Russian darknet page known as BestDarkForum.cc, which our darknet crawler indicates existed as far back as June 27th of this year. 

While we cannot yet verify that the information being sold in the above cases is from the recent equihax, or from a different (potentially unrelated) Equifax source, we can conclude that the presence of the compromising, personal data of Equifax customers has been advertised to willing buyers on the darknet for some months.

  DarkOwl Vision identified a Russian forum selling access to NBKI, EQUIFAX, OKB, and Russian Standard databases (post dated  June 27, 2017 ).  The site offers record lookup service for any individual across a number of leaked databases with a variable price list.  Note:  we can’t verify that that the Equifax data being advertised here is a result of the recent equihax leaked databases.  We will continue to dig further on this, but it’s unlikely that we can source this data unless we make contact with the seller directly to analyze the source further

DarkOwl Vision identified a Russian forum selling access to NBKI, EQUIFAX, OKB, and Russian Standard databases (post dated June 27, 2017).  The site offers record lookup service for any individual across a number of leaked databases with a variable price list. Note: we can’t verify that that the Equifax data being advertised here is a result of the recent equihax leaked databases.  We will continue to dig further on this, but it’s unlikely that we can source this data unless we make contact with the seller directly to analyze the source further

What does this historical darknet presence have to do with the recent equihax?

e2.png

Most corporate data breaches are a result of an unlucky combination of a leaked server credential and a poorly patched data server running SQL or PHP-like databases. It turns out Equifax credentials have been circulating on the darknet long before last week’s first revelation from Equifax management. 

In late 2015, identity thieves reached out to the community requesting data from any of the major credit databases on the DreamMarket darknet marketplace forum. While consumer credit data is gold, a hacker has to start somewhere to begin mining for the treasure. As of this morning, DarkOwl Vision has indexed over 2,000 equifax.com corporate email addresses and clear text (unhashed) passwords across the darknet and paste-based sites providing an excellent starting place for attempting to breach the Equifax network using brute force or more sophisticated methods.

 Screen shot of a darknet site in our DarkOwl Vision tool that reveals buyers have been seeking Equifax data for as far back as two years.

Screen shot of a darknet site in our DarkOwl Vision tool that reveals buyers have been seeking Equifax data for as far back as two years.


This week we learned that Equifax had failed to update their servers of a critical zero-day (or 0-day) Apache Struts vulnerability (CVE-2017-5638) that would have ideally been patched when the exploit was made known to Apache users in early March. The September Baird Equity Research report did not assess that the core databases were affected, but did state that Equifax reportedly became aware of the breach on 29 July and that unauthorized access occurred for approximately 2.5 months before being identified, speaking rather indirectly to a more broader concern over Equifax’s data security processes.

DarkOwl Vision indexed a .onion site offering access to Equifax data on a Russian darknet forum with the topic "Банковский пробив" (translated roughly as ‘Banking Breakthrough’).  The darknet user with the avatar ‘lunzinafinex’ offered extended and simple extractions for persons on Russia's leading credit bureau, the National Bureau of Credit Histories (NBKI), the United Credit Bureau (OKB), and Equifax.

  Russian darknet forum with the topic "Банковский пробив" (translated roughly as ‘Banking Breakthrough’)

Russian darknet forum with the topic "Банковский пробив" (translated roughly as ‘Banking Breakthrough’)

  Screen shot of the same .onion site as it appears in DarkOwl Vision, our darknet database.

Screen shot of the same .onion site as it appears in DarkOwl Vision, our darknet database.

e7.png

The same alias has also been used on multiple Russian carding and counterfeiting forums across the surface net. The last post by this user was a comment to their late June offer on 4 August 2017 on FakeCash (fcash.biz) with the title “Quick check of credit histories.” It is unclear whether these offers are related to the recent Equifax breach or something completely different.


So, is your information actually for sale on the darknet? 

Most likely. Last Friday, the first offer to sell the Equifax data appeared on the darknet on the TOR hidden service, badtouchyonqysm3[.]onion. The hackers claimed they did not anticipate receiving such large set of data and needed to monetize the attack quickly. They stated that they would release the entire data set on September 15th, 2017 (one week from the time of the writing). The offer was set at 600 BTC, or approximately $2.6 million USD. Threat intelligence researchers determined the onion was hosted on the popular Daniel’s hosting service and removed shortly thereafter.

 
e8.png
 

On Thursday, another hidden service, equihxbdrjn5czx2[.]onion, appeared with opportunity to purchase the compromised Equifax data along with images to “prove” they are legit. This site was more simple in its construction than the previous with plain text, ASCII art, and HTML links to the images.  The hackers require a $700 USD deposit to their public bitcoin address to receive the link to download the dataset at a cost of 4 BTC per 1,000,000 entries – adding up to approximately the same as the first offer of $2.6 million USD for the entire dataset.

 
e9.png
 

The “samples” from their treasure trove included database-like extraction for celebrities, Donald Trump, Kim Kardashian, and Bill Gates, all included in previous DoxBin datasets. On the other hand, the images, include severely redacted screen captures from what appears to be various servers on the Amazon cloud. 

The IP address 172.31.25.243 is listed in the image and redirects to the canonical name: http://ip-172-31-25-243.us-west-2.compute.internal, an address within Amazon’s Elastic Compute Cloud (aka Amazon EC2). While the domain name cannot be resolved, the GeoLocation for the server is Valencia, California.

IP Location Results for 172.31.25.243
==============
City:         Valencia
Zip Code:     91355
Region Code:  CA
Region Name:  California
Country Code: US
Country Name: United States
Latitude:     34.418
Longitude:    -118.566

 
e10.png
 
 
e11.png
 
 
e12.png
 
e13.png

Most of the images have their dates redacted; however, one image included timestamps of April 24, 2017 earlier than the original Equifax report indicated. The last sentence of the latest hidden service is the most ominous suggesting they’ve had access for much longer than the 2.5 month window.

As you seen in media [sic], Equihax by more than just “Apache Struts RCE”. Apache Struts RCE is Equifax’s smoke to cover up embarassing [sic] security fails.

We have had access for years now.
— anonymous darknet user

While it is completely plausible that the latest equihax offer is a scam, the mounting evidence that such data is not just valuable but actually extremely sought after by identity thieves makes monitoring data of this nature all the more vital for businesses and government agencies. 

For more information on how you can monitor the darknet using OWL Vision, click "Learn More" below.


Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.