Last week, someone attempted to execute a poorly conceived digital cash grab by setting up a "Dark Web" page on the Tor network, claiming responsibility for the data breach at credit reporting bureau Equifax. The page demanded a ransom of 600 bitcoin and threatened to publicly release all of the data if payment was not made by September 15. But a misconfiguration of the services used for the site allowed security researchers to identify its hosting service, and the scam was quickly shut down.

Now, a new Dark Web site has been set up by a group calling itself "Equihax," claiming to have data from the Equifax breach. But this time, the scammers went further in trying to bolster their claim, posting what they claimed were samples of stolen data and screenshots from what appears at first glance to be a Web console for an Equifax instance of IBM WebSphere. And, according to their .onion page, the scammers are offering individual bits of the Equifax data for sale—or to publish it all if the world pays "600 BTC or 8400 ETH," they say.







Equifax is known to have used WebSphere to power its public-facing website, as security researchers showed last week.

Cmon Equifax. You have ALL OF OUR INFO. pic.twitter.com/Cu1u0RKc5d — notdan ✸ (@notdan) September 7, 2017

However, there is room for doubt about the "evidence" presented by this latest claimant to the Equifax hack. The sample data is presented in a text file and formatted in JavaScript Object Notation (JSON). While the SSNs appear to be valid numbers issued in locations and timeframes that match the individuals associated with them, the address listed for Bill Gates was incorrectly listed in the state of "WI" (Wisconsin) instead of "WA" (Washington). After that error was pointed out by a number of posters on Twitter, the "sample" was changed to fix the typographical error.

The screenshots are of little help to the cause of the Equihax crew either—the troublemakers have helpfully redacted information that might prove their claim, and the screenshots show a fairly sparse development server environment instead of the sort of infrastructure that you'd expect from Equifax. The IP addresses and host names are all for an internal network, configured to look very corporate (including an internal domain "us-west-2.compute.internal"), and some work clearly went into making these screens look legitimate. But some of the applications listed have nothing to do with Equifax's business, including interbank loan systems like Libor (the London Interbank Offered Rate). In fact, many of the applications have URLs that make them look like they're for the Royal Bank of Canada.

What's more, the data itself has been posted elsewhere before. Donald Trump's alleged data has previously been posted in numerous places, including a post on Facebook in November of 2015. Kim Kardashian's alleged SSN from the sample was posted to Twitter over four years ago. And Bill Gates' alleged SSN was posted to the Internet in 1999. It's odd that someone would try to prove they had gained access to Equifax by presenting such widely available "private" information.