Hackers disguised as police trick ISPs into handing over customer data
Hackers are now stealing the identities of law enforcement agencies and using them to force companies into giving away sensitive customer information.
The revelation was explained in detail by researchers from KrebsOnSecurity, a cybersecurity blog.
According to the report, all crooks need is access to a single email address belonging to any law enforcement agency, and a little knowledge about something called an Emergency Data Request (EDR).
We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
A race against time
Usually, when police want data from companies such as Internet Service Providers (ISP), web hosting firms and others, they need a court order or subpoena, which involves a relatively lengthy application process.
Sometimes, however, police need to act quickly to prevent possible injury or death. In such instances, they can submit an EDR and demand the data be handed over immediately.
When businesses receive such a request, especially if it comes from a legitimate email address, they have a choice: either investigate whether the request is valid and potentially risk someone’s death, or hand over the data.
Data management is a major challenge, especially for large businesses, and most of these companies have dedicated departments working exclusively on such matters. At the same time, though, there are thousands of law enforcement agencies they are constantly in touch with. In the US alone, KrebsOnSecurity reminds, there are 18,000 police jurisdictions.
Researchers have previously linked identity theft and EDR abuse with Lapsus$, a threat group that has been making headlines recently with breaches of high-profile targets such as Samsung, Nvidia and Microsoft.
Allegedly, a person who could very well be the founder of Lapsus$ recently advertised a “subpoena service” designed to help hoodwink companies into handing over data.
Via KrebsOnSecurity