Spike in Hacked Police Emails, Fake Subpoenas – Krebs on Security
this FBI The FBI is urging police departments and governments around the world to tighten the security of their email systems, citing a recent increase in cybercrime services that use hacked police email accounts to send emails to U.S. technology companies Unauthorized subpoenas and requests for customer information.
exist alarm (PDF) Released this week, the FBI said it has seen an increase in posts on criminal forums about the Emergency Data Request (EDR) process and the sale of email credentials stolen from police departments and government agencies.
The FBI warns: “Cybercriminals may obtain compromised U.S. and foreign government email addresses and use them to make fraudulent emergency data requests to U.S. companies, exposing customers’ personal information for further use. criminal purpose.
In the United States, when federal, state, or local law enforcement agencies want to obtain information about a technology provider account (such as the account’s email address or past Internet addresses used by a specific mobile phone account), they must submit a formal court-ordered arrest warrant order or summons.
Nearly all major technology companies that serve large numbers of online users have departments that regularly review and process such requests, and as long as proper documentation is provided and the request appears to come from a specific organization, these requests are usually approved ( Ultimately, at least partially approved).
In some cases, cybercriminals have filed forged court-approved subpoenas and sent them through hacked police or government email accounts. But thieves are increasingly relying on fake EDRs, which investigators can use to prove that people will be physically harmed or killed unless requests for account information are quickly approved.
The problem is, these EDRs largely bypass any official review and do not require the requester to provide any court-approved documents. Additionally, it can be difficult for a company that receives one of these EDRs to immediately determine whether it is legitimate.
In this case, the receiving company finds itself caught between two nasty outcomes: failing to immediately comply with the EDR—and potentially having someone’s blood on its hands—or potentially having customer records leaked to the wrong person people.
Perhaps not surprisingly, compliance rates with such requirements tend to be very high. For example, in its latest transparency report (PDF) Verizon The company said it received more than 127,000 law enforcement requests for customer information in the second half of 2023, including more than 36,000 EDRs, and that it provided records and responded to about 90% of the requests.
An English-speaking cybercriminal nicknamed “Puxing” and”Almighty” has been selling fake EDR services on Russian and English-speaking cybercrime forums. Their prices range from $1,000 to $3,000 per success, and they claim to control “government emails from over 25 countries,” including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India , Kenya, Jordan, Lebanon, Laos, Malaysia, Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE) and Vietnam.
“I can’t 100% guarantee that every order will be successful,” Pwnstar explained. “This is social engineering of the highest order and sometimes attempts will fail. Don’t be discouraged. You can use escrow and if the EDR doesn’t go through and you don’t receive your message, I will issue a full refund.
A review of EDR vendors on a number of cybercrime forums revealed that some fake EDR vendors sell the ability to send fake police requests to specific social media platforms, including forging court-approved documents. Others simply sell access to hacked government or police email accounts and have the buyer falsify any required documents.
“When you get an account, it’s yours, your account, and your responsibility,” one ad from October read. Violation Forum. “Unlimited emergency data requests. After payment, the login name is completely yours. Reset at will. You will need to forge documents to successfully request emergency data.
There are other fake EDR service providers claiming to sell accounts that were hacked or fraudulently created Program codeis a startup that aims to help tech companies better screen out false law enforcement data requests. Kodix is Trying to solve the problem of fake EDR By working directly with data providers to compile information about the police or government officials submitting these requests, the goal is to make unauthorized EDR easier to spot for everyone.
For example, if police or government officials wish to request records about Coinbase customers, they must first register an account at Kodexglobal.com. Kodex’s system then assigns a score, or credit rating, to the requester, with an officer who has a long history of sending valid legal requests receiving a higher rating than an officer who sends an EDR for the first time.
It’s not uncommon for fake EDR vendors to claim to be able to send data requests through Kodex, with some even sharing edited screenshots of Kodex police accounts.
Matt Donahue is a former FBI agent who founded Kodex in 2021. Donahue said that even if one customer receives a false claim, Kodex will be able to prevent the same thing from happening to another customer.
Kodex told KrebsOnSecurity that it processed a total of 1,597 EDRs in the past 12 months, of which 485 requests (approximately 30%) failed secondary verification. Kodex reports that it has suspended nearly 4,000 law enforcement users last year, including:
-1,521 from the Asia-Pacific region;
-1,290 requests from Europe, the Middle East and Asia;
-460 from U.S. police departments and agencies;
-385 Entities from Latin America, and;
-285 from Brazil.
Donahue said that 60 technology companies currently send all law enforcement information requests through Kodex, including a growing number of financial institutions and cryptocurrency platforms. He said a recent common concern among potential clients is that scammers are looking to use false law enforcement requests to freeze or even, in some cases, seize funds in specific accounts.
“What is being confused with [with EDRs] Anything that doesn’t involve a formal judge’s signature or legal proceedings,” Donahue said. “This may include controls over data, such as account freezes or save requests.”
In a hypothetical example, scammers use hacked government email accounts to request service providers to freeze specific bank or cryptocurrency accounts allegedly subject to seizure orders or criminal activity subject to global sanctions (e.g. terrorists). or exploit children.
Days or weeks later, the same imposter returns, demanding that funds in the account be seized or transferred to an escrow wallet purportedly controlled by government investigators.
“In terms of overall social engineering attacks, the closer you are to someone, the more they trust you,” Donahue said. “If you send them a freezing order, it’s a way of building trust because [the first time] They are not asking for information. They just said, ‘Hey, can you do me a favor? This makes [recipient] Feel valued.
Echoing the FBI’s warning, Donahue said too many police departments in the United States and other countries have poor account security hygiene and often fail to enforce basic account security precautions, such as requiring multi-factor authentication to prevent phishing. .
How do cybercriminals typically access police and government email accounts? Donahue said this is still mostly email-based phishing and credentials stolen through opportunistic malware infections and sold on the dark web. But he said that despite the dire situation internationally, many law enforcement entities in the United States still have a lot of room for improvement in account security.
“Unfortunately, a lot of these are phishing or malware campaigns,” Donahue said. “Many global police agencies do not have strict cybersecurity hygiene, but even U.S. .gov emails are vulnerable to hackers. Over the past nine months, I have contacted CISA (Cybersecurity and Infrastructure) multiple times. Installations Security Agency), asking whether .gov email addresses were compromised and CISA was unaware.
2024-11-09 19:20:26