I Federal Bureau of Investigation (FBI) is urging police departments and governments around the world to tighten security in their email systems, citing a recent surge in cybercrime services using hacked police email accounts to send warrantless subpoenas and requests for customer data to tech companies based in US
In an alert (PDF) published this week, the FBI said it has seen concerns in criminal justice posts about the process of emergency data requests (EDRs) and the sale of stolen email information to police departments and government agencies.
“Cybercriminals are likely to gain access to US and foreign government email addresses and use them to make fraudulent requests for emergency data from US-based companies, disclosing customer information so it can be further used for criminal purposes,” the FBI warned.
In the United States, when federal, state or local law enforcement agencies wish to obtain information about an account from a technology provider – such as the account’s email address, or what Internet addresses a particular mobile phone account has used in the past – they must submit a court order or subpoena.
Almost all major technology companies that serve a large number of users on the Internet have departments that usually review and process such requests, which are approved (eventually, and at least partially) as long as the appropriate documents are provided and the request appears to come from an email address linked to the real name of the police department.
In some cases, a hacker will offer to create a court-authorized subpoena and send it through a hacked police or government email account. But increasingly, thieves are relying on fake EDRs, which allow investigators to prove that people will be physically harmed or killed unless a request for account data is granted immediately.
The problem is, these EDRs usually do not pass any legal review and do not require the applicant to provide any court-approved documents. Also, it is difficult for a company that receives one of these EDRs to quickly determine if it is legitimate.
In this situation, the receiving company finds itself caught between two undesirable outcomes: Failure to immediately comply with EDR – and the possibility of having someone’s blood on their hands – or possibly leaking a customer record to the wrong person.
Perhaps surprisingly, compliance with such requests is often very high. For example, in its latest transparency report (PDF) Verizon said it received more than 127,000 legal demands for customer data in the second half of 2023 — including more than 36,000 EDRs — and that the company provided records in response to about 90 percent of the requests.
An English-speaking hacker who goes by the nickname “A star” and “Omnipotent” has been selling fake EDR services on both Russian and English language cyber crime forums. Their prices range from $1,000 to $3,000 per successful request, and they claim to control “gov emails from over 25 countries,” including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India, Kenya, Jordan, Lebanon, Laos, Malaysia. , Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE), and Vietnam.
“I cannot guarantee 100% that all orders will be fulfilled,” explains Pwnstar. “This is social engineering at a high level and there will be failed attempts at times. Don’t be discouraged. You can use escrow and I’ll give you a full refund if the EDR doesn’t go through and you don’t get your information.”
Advertisement from Pwnstar for fake EDR services.
A review of EDR vendors across cybercrime forums shows that some fake EDR vendors are selling the ability to send fake police requests to certain networks, including fake court documents. Others simply sell access to hacked government or police email accounts, and leave it up to the buyer to do any necessary documentation.
“When you get an account, it’s yours, your account, your credit,” reads the October ad. BreachForums. “Unlimited Emergency Data Applications. Once Paid, Logins are completely yours. Reset to your liking. You will need to do Documentation to Succeed in the Emergency Data Request.”
Some fake EDR service sellers claim to sell stolen or fake accounts Codexa startup that aims to help tech companies do a better job of checking for fraudulent data requests. Kodex is trying to address the problem of fake EDRs by working directly with data providers to gather information about the police or government officials who send these requests, with the aim of making it easier for everyone to spot an unauthorized EDR.
If police or government officials wish to request records about Coinbase customers, for example, they must register an account on Kodexglobal.com first. Codex systems then assign that applicant a score or credit rating, where officials with a long history of submitting formal applications will have a higher rating than someone submitting an EDR for the first time.
It is not uncommon to see fake EDR vendors claiming to have the ability to send data requests through Kodex, some even sharing modified screenshots of police accounts with Kodex.
Matt Donahue a former FBI agent who founded the Codex in 2021. Donahue said just because someone can use a legitimate police department or government email to create a Kodex account doesn’t mean that user will be able to post anything. Donahue said that even if one customer receives a fraudulent request, Kodex is able to prevent the same thing from happening to another.
Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed second-level verification. Kodex reports that it has stopped nearly 4,000 law enforcement users in the past year, including:
-1,521 from the Asia-Pacific region;
-1,290 applications from Europe, the Middle East and Asia;
-460 from United States police departments and agencies;
-385 from organizations in Latin America, and;
-285 from Brazil.
Donahue said 60 technology companies now submit all law enforcement data requests through Kodex, including a growing number of financial institutions and cryptocurrency platforms. He said that one of the concerns of future customers is that crooks want to use legal requests to freeze and in some cases take money from certain accounts.
“What is put together [with EDRs] it’s anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include controlling data, such as suspending an account or a backup request.”
In a hypothetical example, a scammer uses a hacked government email account to request that a service provider seize a specific bank or crypto account suspected of being subject to a garnishment order, or part of an internationally sanctioned crime, such as terrorism. financing or child exploitation.
A few days or weeks later, the impersonator returns with a request to seize the funds from the account, or transfer the money to a final fund allegedly controlled by government investigators.
“In terms of social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a suspension order, that’s a way to establish trust, because [the first time] they don’t ask for information. They just say, ‘Hey, can you do me a favor?’ And that makes the [recipient] I felt important.”
Echoing the FBI’s warning, Donahue said that too many police departments in the United States and other countries do not have clean account security, and often do not use basic security measures – such as requiring multifactor authentication to resist phishing.
How do hackers typically gain access to police and government email accounts? Donahue said it’s still email-based phishing, with information being stolen by opportunistic malware infections and sold on the dark web. But as things get worse around the world, he said, many law enforcement agencies in the United States still have a lot of room to improve account security.
“Unfortunately, many of these are phishing or malware campaigns,” Donahue said. “Most of the world’s police agencies do not have strong hygiene in cybersecurity, but even US dot-gov emails are hacked. Over the past nine months, I have contacted CISA (Cybersecurity and Infrastructure Security Agency) more than a dozen times about .gov email addresses being compromised and CISA not knowing about it.”
Source link