The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.
In an alert (PDF) published this week, the FBI said it has seen un uptick in postings on criminal forums regarding the process of emergency data requests (EDRs) and the sale of email credentials stolen from police departments and government agencies.
“Cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI warned.
In the United States, when federal, state or local law enforcement agencies wish to obtain information about an account at a technology provider — such as the account’s email address, or what Internet addresses a specific cell phone account has used in the past — they must submit an official court-ordered warrant or subpoena.
Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted (eventually, and at least in part) as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.
In some cases, a cybercriminal will offer to forge a court-approved subpoena and send that through a hacked police or government email account. But increasingly, thieves are relying on fake EDRs, which allow investigators to attest that people will be bodily harmed or killed unless a request for account data is granted expeditiously.
The trouble is, these EDRs largely bypass any official review and do not require the requester to supply any court-approved documents. Also, it is difficult for a company that receives one of these EDRs to immediately determine whether it is legitimate.
In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.
Perhaps unsurprisingly, compliance with such requests tends to be extremely high. For example, in its most recent transparency report (PDF) Verizon said it received more than 127,000 law enforcement demands for customer data in the second half of 2023 — including more than 36,000 EDRs — and that the company provided records in response to approximately 90 percent of requests.
One English-speaking cybercriminal who goes by the nicknames “Pwnstar” and “Pwnipotent” has been selling fake EDR services on both Russian-language and English cybercrime forums. Their prices range from $1,000 to $3,000 per successful request, and they claim to control “gov emails from over 25 countries,” including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India, Kenya, Jordan, Lebanon, Laos, Malaysia, Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE), and Vietnam.
“I cannot 100% guarantee every order will go through,” Pwnstar explained. “This is social engineering at the highest level and there will be failed attempts at times. Don’t be discouraged. You can use escrow and I give full refund back if EDR doesn’t go through and you don’t receive your information.”
An ad from Pwnstar for fake EDR services.
A review of EDR vendors across many cybercrime forums shows that some fake EDR vendors sell the ability to send phony police requests to specific social media platforms, including forged court-approved documents. Others simply sell access to hacked government or police email accounts, and leave it up to the buyer to forge any needed documents.
“When you get account, it’s yours, your account, your liability,” reads an ad in October on BreachForums. “Unlimited Emergency Data Requests. Once Paid, the Logins are completely Yours. Reset as you please. You would need to Forge Documents to Successfully Emergency Data Request.”
Still other fake EDR service vendors claim to sell hacked or fraudulently created accounts on Kodex, a startup that aims to help tech companies do a better job screening out phony law enforcement data requests. Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, with an eye toward making it easier for everyone to spot an unauthorized EDR.
If police or government officials wish to request records regarding Coinbase customers, for example, they must first register an account on Kodexglobal.com. Kodex’s systems then assign that requestor a score or credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.
It is not uncommon to see fake EDR vendors claim the ability to send data requests through Kodex, with some even sharing redacted screenshots of police accounts at Kodex.
Matt Donahue is the former FBI agent who founded Kodex in 2021. Donahue said just because someone can use a legitimate police department or government email to create a Kodex account doesn’t mean that user will be able to send anything. Donahue said even if one customer gets a fake request, Kodex is able to prevent the same thing from happening to another.
Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed a second-level verification. Kodex reports it has suspended nearly 4,000 law enforcement users in the past year, including:
-1,521 from the Asia-Pacific region;
-1,290 requests from Europe, the Middle East and Asia;
-460 from police departments and agencies in the United States;
-385 from entities in Latin America, and;
-285 from Brazil.
Donahue said 60 technology companies are now routing all law enforcement data requests through Kodex, including an increasing number of financial institutions and cryptocurrency platforms. He said one concern shared by recent prospective customers is that crooks are seeking to use phony law enforcement requests to freeze and in some cases seize funds in specific accounts.
“What’s being conflated [with EDRs] is anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include control over data, like an account freeze or preservation request.”
In a hypothetical example, a scammer uses a hacked government email account to request that a service provider place a hold on a specific bank or crypto account that is allegedly subject to a garnishment order, or party to crime that is globally sanctioned, such as terrorist financing or child exploitation.
A few days or weeks later, the same impersonator returns with a request to seize funds in the account, or to divert the funds to a custodial wallet supposedly controlled by government investigators.
“In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a freeze order, that’s a way to establish trust, because [the first time] they’re not asking for information. They’re just saying, ‘Hey can you do me a favor?’ And that makes the [recipient] feel valued.”
Echoing the FBI’s warning, Donahue said far too many police departments in the United States and other countries have poor account security hygiene, and often do not enforce basic account security precautions — such as requiring phishing-resistant multifactor authentication.
How are cybercriminals typically gaining access to police and government email accounts? Donahue said it’s still mostly email-based phishing, and credentials that are stolen by opportunistic malware infections and sold on the dark web. But as bad as things are internationally, he said, many law enforcement entities in the United States still have much room for improvement in account security.
“Unfortunately, a lot of this is phishing or malware campaigns,” Donahue said. “A lot of global police agencies don’t have stringent cybersecurity hygiene, but even U.S. dot-gov emails get hacked. Over the last nine months, I’ve reached out to CISA (the Cybersecurity and Infrastructure Security Agency) over a dozen times about .gov email addresses that were compromised and that CISA was unaware of.”
Isn’t CISA the entity that the security pros take advice(orders?) from? Many times I read CISA says this or that and yet, they can’t lock down their own systems? Or so it seems to me an outsider. I’m expecting to get clobbered on this comment, but that’s ok.
I believe the FTC is responsible for privacy lapses of this nature. These have overlaps with security when law enforcement portals are abused technically. I think Critical Infrastructure spaces are only concerned with this if they are involved in retail or trading. This will be a small fraction which may or may not be in scope due to prioritization criteria. Privacy of personal data is not a critical infrastructure in the USA. Law enforcement procedures are governed under CALEA in telecoms. HR is rarely going to be mapped into a compliance scope and reality is people rely on knowing who is who in most businesses and still work with a lot of paper processes. As long as one has seen a form before it can be re-used in impersonation attacks.
The only exception to this may be law enforcement requests to badge access systems or proxy servers of they are scoped into the critical infrastructure space.
security “…pros…” rarely listen to anything cisa says
These are such important facts and statistics and I do not understand why identification of 18K agencies that make EDR’s is not a federal registration requirement. The data is not that high in volume compared to the Social Security Administration. Those agencies should be public data sets for anyone to work with. Almost every bit of cyber security implemented can be defeated by EDR’s. Thank you for the good investigative reporting.
“Emergency” donation requests have not quite tapered off since the general election so I’m not that surprised. On the other hand the election has a built in “trust but verify” book-close deadline on New Year’s Eve. I’m not suggesting this is even possible for spam data requests, but the process is significant.
I would hope that people responding to EDRs have at least a few filters in place to help limit the responses to fake requests. For example, don’t reply to requests for data on US persons if those persons don’t have a passport. They aren’t in the foreign country.
i’m sure they can think of many other filters to deny fake requests.
Like the filters in fake swatting incidents?
“… I do not understand why identification of 18K agencies that make EDR’s is not a federal registration requirement.”
Because federal agencies can only do what the U.S. Congress authorizes them to do and the two political parties that control the U.S. Congress rarely enact sensible legislation to the benefit of the public anymore.
Bridge for sale!
When those in government subvert your rights, invade your privacy, and move to an unGodly tracking system, they leave the security door open in order to do it and then tell the public every thing is secure for the big lie. Any one with a half of brain can see a no backdoor end-to-end encryption with a key and badge number verification system along with a phone call back system manned by real people would have slowed or stopped the cyber gurus. But then again how does some one in government spy on their opponents and citizens without leaving a paper trail for plausible deniability? Ta dah!
Conspiracy much?
I’d be more concerned with the actions of the corporate cowboys than government any day of the week. At least their security is beholden to regular mandated audits, stricter regulations and freedom of information requests as well functioning democracies should be. Unlike private corporations who have access to far greater volumes and variety of data, more incentive to collect and store that data than they really require and inconsistent security practices.
Let me ask you a question. Who is responsible for more personally identifiable information data breaches? Government or the private sector?
It varies by country and industry. However, based on available data from global cyber security reports and historical breach trends; Private Sector are responsible for 80-90% of all data breaches whereas the Government Sector is only responsible for 10-20% of all data breaches.
This means that corporate failings are mostly responsible for malicious actors (you know, the REAL bad guys) having access to YOUR information and not government. But you know better, hey?
Don’t believe me? Here you go;
2024 Data Breach Investigations Report
https://www.verizon.com/business/resources/reports/dbir/
Thank you so much for a voice of reason. It is weird how many people think the worst of their government (into which, weirdly, they are counting the entirety of public administration) but still blindly trust the private sector.
I will never forget how I saw a person on a train who had their passport in a protective “RFID sleeve” (obviously to prevent “his identity stolen” or whatever) but was happily working with two smartphones and openly discussing private matters over the phone in the train car, for about a dozen people to directly listen to (in addition to Google/Apple of course).
My feeling is this problem is beyond fixing. Education is an optional path to improve the situation, but the effect will only be felt decades later when we will have a whole ‘nother set of issues again. 🙁
It begs the question, why are companies answering to ’emergency’ data requests in the first place? The senders are entities that could very well be law-enforcement but with a minimum of verification in place they could just as easily be an imposter abusing the resulting data for their own nefarious ends. If you ask me common-sense went out the window when they started honoring EDRs and other requests strictly outside of the legal system authorized by a court and externally validated.
EDR’s are typically requested in the case of missing persons or suicidal subjects. Most companies do not want to be on the bad side of the PR game when they refused to provide information that could help locate the people when they are still alive.