In a disturbing new trend, cybercriminals have been found to be sending fake “emergency data requests” to obtain customer data from internet service providers, phone companies and social media firms.
Detailed today by security researcher Brian Krebs, the method involves cybercriminals compromising email accounts and websites tied to police departments and government agencies. With that access, they then send unauthorized requests for subscriber data while claiming that the requested information relates to an urgent matter of life and death that cannot wait for a court order.
A court order is required to obtain subscriber information in the U.S., but there is an alternative way to obtain data. In a case involving imminent harm or death, an authority can file an emergency data request that bypasses an official review and does not require the provision of a court order. That’s what hackers are exploiting.
“Some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,” Krebs explained. “Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.”
The company receiving the request is stuck between a rock and a hard place. On the one hand, failing to comply with the EDR means they could put someone’s life in danger, but they could be leaking a customer records to a hacker without the ability to check.
The method is also linked to the Lapsus$ ransomware and data breach gang, the group behind attacks on Okta Inc., Microsoft Corp., Nvidia Corp. and Samsung Electronics Co. Ltd. The Lapsus$ attacks typically involve gaining access through low-level attacks, such as bribing employees or contractors. Other methods used by Lapsus$ include phone-based social engineering, SIM-swapping, accessing employees’ email accounts and other methods.
Although seven alleged members of Lapsus$ were recently arrested, Krebs links the founder of Lapsus$ to an earlier hacking group called Recursion Team. The same hacker was advertising the ability to gain law enforcement data from any service and specifically mentioned the ability to gain access from companies such as Apple Inc., Snap Inc. and Google LLC.
“I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.,” the ad on a hacking forum stated. “You can breach users and get private images from people on Snapchat like nudes, go hack your girlfriend or something haha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right.”