Hackers disguised as police trick ISPs into handing over customer data

Hackers are now stealing the identities of law enforcement agencies and using them to force companies into giving away sensitive customer information.

The revelation was explained in detail by researchers from KrebsOnSecurity, a cybersecurity blog.

According to the report, all crooks need is access to a single email address belonging to any law enforcement agency, and a little knowledge about something called an Emergency Data Request (EDR).

A race against time

Usually, when police want data from companies such as Internet Service Providers (ISP), web hosting firms and others, they need a court order or subpoena, which involves a relatively lengthy application process.

Sometimes, however, police need to act quickly to prevent possible injury or death. In such instances, they can submit an EDR and demand the data be handed over immediately.

When businesses receive such a request, especially if it comes from a legitimate email address, they have a choice: either investigate whether the request is valid and potentially risk someone’s death, or hand over the data.

Data management is a major challenge, especially for large businesses, and most of these companies have dedicated departments working exclusively on such matters. At the same time, though, there are thousands of law enforcement agencies they are constantly in touch with. In the US alone, KrebsOnSecurity reminds, there are 18,000 police jurisdictions.

Researchers have previously linked identity theft and EDR abuse with Lapsus$, a threat group that has been making headlines recently with breaches of high-profile targets such as Samsung, Nvidia and Microsoft.

Allegedly, a person who could very well be the founder of Lapsus$ recently advertised a “subpoena service” designed to help hoodwink companies into handing over data.

Make sure employees only have access to the data they need with the best identity management services

Via KrebsOnSecurity