Compromised email behind fake emergency data requests
Emails that look like they’re coming from law enforcement agencies have mobile providers, ISPs and social media companies turning sensitive data over to hackers.
Hackers are using compromised email accounts from police departments and government agencies to trick mobile providers, ISPs and social media companies into providing them sensitive customer data, according to a March 29 report on KrebsOnSecurity.
Emergency data requests allow police to request access to data without a warrant in life-or-death situations. However, with about 18,000 police organizations in the U.S., it’s difficult for a company that receives an EDR to tell whether the request is legitimate.
“Criminal hackers exploiting that ambiguity are enjoying remarkable success rates gaining access to the data they’re after, and some are now selling EDRs as a service to other crooks online,” Brian Krebs wrote in an update on March 31.
Social media platform Discord received and processed a fake EDR, and Bloomberg reported that both Apple and Meta have also complied with fraudulent EDRs from hackers masquerading as law enforcement officials, Krebs wrote. Information the hackers can scoop up this way include emails, IP addresses, phone numbers and photos.
According to KT, a hacker Krebs interviewed, some of the people sending fake EDRs first compromise a police department’s website and then hack into its email. “From there, they can drop a backdoor ‘shell’ on the server to secure permanent access, and then create new email accounts within the hacked organization,” the hacker said.
In other cases, hackers “identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously,” KT told Krebs.
The report prompted concern from Sen. Ron Wyden (D-Ore.), who had introduced legislation in July 2021 to combat counterfeit EDRs by requiring federal, state and tribal courts to use a digital signatures for orders authorizing surveillance, domain seizures and the removal of online content.
“No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” Wyden said in a statement to Krebs. “Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”