Fake emergency search warrants draw Capitol Hill’s attention

Tuesday, KrebsOnSecurity warned that hackers are increasingly using compromised government and law enforcement email accounts to obtain sensitive customer data from mobile phone providers, ISPs and social media companies. Today, one of the most tech-savvy lawmakers in the US Senate said he was troubled by the report and is now asking tech companies and federal agencies for information on how common these schemes are.

In question, false “emergency data requests” (EDR) sent via hacked email accounts of the police or government agencies. Tech companies typically require a search warrant or subpoena before providing customer or user data, but any law enforcement jurisdiction can use an EDR to request immediate access to data without a warrant, provided the entity law enforcement officer certifies that the request is related to an urgent matter. life and death.

As Tuesday’s story showed, hackers figured out that there’s no quick and easy way for a company that receives one of these EDRs to know if it’s legit. After all, there are approximately 18,000 separate police organizations in the United States alone, and several thousand government and police agencies around the world.

Hackers exploiting this ambiguity are experiencing remarkable success rates in gaining access to the data they seek, and some are now selling EDRs as a service to other online scammers.

This week’s article included a confirmation from the social media platform Discord regarding a fraudulent EDR they recently handled. Wednesday, Bloomberg published a story confirming that both Apple and Meta/Facebook have recently complied with bogus EDRs.

Today KrebsOnSecurity heard about Senator Ron Wyden (D-Ore.), who said he took action after reading this week’s coverage.

“Recent news reports have revealed an enormous threat to the safety and national security of Americans,” Wyden said in a statement provided to KrebsOnSecurity. “I am particularly troubled by the prospect that fake emergency orders could come from compromised foreign law enforcement agencies and then be used to target vulnerable people.”

“I am seeking information from technology companies and several federal agencies to learn more about how emergency data requests are being abused by hackers,” Wyden’s statement continued. “No one wants tech companies to deny legitimate emergency requests when someone’s safety is at stake, but the current system has obvious weaknesses that need to be addressed. Fraudulent government requests are a significant concern, c That’s why I’ve already drafted legislation to eradicate bogus warrants and subpoenas.

Tuesday’s Story showed how fraudulently obtained EDRs were a tool used by members of US $the data extortion group that recently hacked Microsoft, Nvidia, Okta and Samsung. And it tracked the activities of a teenage hacker from the UK who was allegedly arrested multiple times for sending fake EDRs.

That was March 2021, but today there are similar fake EDR services. An example can be found on Telegram, in which a member who favors the handle “Bug” has been selling access to various police and government email accounts for the past month.

All of the access Bug currently offers was allegedly stolen from non-US police and government email accounts, including a police department in India; a government department of the United Arab Emirates; the Brazilian Secretariat of Education; and the Saudi Ministry of Education.

On March 30, Bug posted a sales thread on the Cybercrime Forum violated[.]co saying he could be hired to perform fake EDRs on targets at will, provided the account was recently active.

“I am making LE emergency data requests for snapchat, twitter, ig [Instagram] and many more,” Bug wrote. “The information we can get: emails, IP addresses, phone numbers, photos. The account must be active within the last week or we will be rejected as shown below. I got information only from Snapchat, Twitter and IG so far.

An individual using the nickname “Bug” has been selling access to government and police email accounts for over a month. Bug posted this sales thread on Wednesday.

KrebsOnSecurity has solicited comments from Instagram, Snapchat and Twitter. This message will be updated if there is a response.

The current scourge of fraudulent EDRs illustrates the dangers of relying solely on email to process lawful requests for privileged subscriber data. In July 2021, Senator Wyden and others introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill seeks funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, typically involving copy-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to cover up negative information and past crimes,” the lawmakers said in a statement outlining their bill.

the Court Orders Digital Authenticity Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.

*** This is a syndicated blog from the Security Bloggers Network of Krebs on safety written by Brian Krebs. Read the original post at: https://krebsonsecurity.com/2022/03/fake-emergency-search-warrants-draw-scrutiny-from-capitol-hill/

Amanda J. Marsh