In recent years, it’s become alarmingly routine for law enforcement agencies to subpoena tech platforms for user data — a practice that some critics see as an invasive privacy violation. Criminals are taking note, and now they’re doing it, too.
Security blogger Brian Krebs reports that hackers have been hijacking law enforcement email accounts and using them to submit phony data demands to tech companies. The ploy has been working — hoodwinked firms have handed over troves of user information to crooks by accident.
Krebs details a recent incident in which cybercriminals took over the email account of an unnamed law enforcement agency. The hackers used the accounts to submit a data request to chat platform Discord, asking for information on an 18-year-old user from Indiana. Discord fell for it and forked over the data.
“This tactic poses a significant threat across the tech industry,” a Discord representative told Gizmodo.
Discord confirmed that the company had mistakenly provided data to a “malicious actor” using a cop’s compromised email account:
“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies. We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
The way that criminals have managed to get away with this innovative exploit is by taking advantage of a special kind of government subpoena, called an Emergency Data Request, or EDR. Such subpoenas are meant filed in life or death scenarios where information is needed immediately and the delay of court approval would lead to grave consequences. As such, EDRs do not require the typical internal review that companies are supposed to carry out with normal data requests. Mark Rasch, a former Justice Department prosecutor, told Krebs that an EDR amounted to an “emergency process, almost like you see on Law & Order, where they say they need certain information immediately” and tech companies tend to dutifully respond.
Phony EDRs are a new use of a common tactic — impersonating an email address. Krebs reports that compromised cop email accounts are frequently put up for sale on the Dark Web. Purchase one of those suckers, and a hacker is in business.
Why do hackers want data so bad they’ll spoof the cops to get it? A hacker source told Krebs that it has become increasingly typical for cybercriminals to use EDR requests to nab data to commit “stalking, hacking, harassing and publicly humiliating” campaigns against their victims.
Following the publication of Krebs’ story, an a fresh stub about EDRs appeared on Wikipedia, indicating the legal mechanism was not widely known. Is there any possible chance that both cops and criminals could stop collecting our data? Just a thought.