FBI issues warning as crooks ramp up emergency data request scams

November 11, 2024 TH Author

Cybercrooks abusing emergency data requests in the US isn’t new, but the FBI says it’s becoming a more pronounced issue as the year draws to a close.

The uptick in abuse was first registered in August, and the FBI recently issued a Private Industry Notification as an increasing number of US businesses and law enforcement agencies are served fraudulent requests.

Emergency data requests (EDRs) exist in the US as a legal mechanism through which law enforcement agencies can obtain the necessary information from service providers during – you guessed it – an emergency.

Usually, these requests would require a subpoena to fulfill, but the provision allows data such as who owns a specific website or phone number to be handed over to authorities in an expedited manner where needed.

A spotlight on EDRs was shone in 2022 after infosec journo Brian Krebs reported a rise in their abuse. The FBI’s latest warning claims that throughout 2023 and 2024, there has been a steady rise in the number of underground forum posts claiming to coach people on how to steal data through fraudulent EDRs for as little as $100.

That data could then be used for other criminal enterprises, such as extortion, social engineering, or simply to sell it to other crooks.

Criminals complete these requests by using compromised email addresses belonging to US and foreign governments. They send US businesses seemingly legitimate requests coming from a genuine public sector email address, and receive unvetted responses containing swathes of personally identifiable information (PII).

The FBI said the technique was used heavily by the likes of Lapsus$ back in its heyday, and the number of tutorials on how to pull it off surfacing on cybercrime forums has grown, leading many more to adopt it.

The main purpose of the notification is to raise awareness among US businesses about how to prevent account compromises – consisting of the oft-repeated, basic cybersecurity advice – rather than how to spot a fraudulent EDR specifically.

Regarding the latter point, the FBI recommends that organizations develop a close relationship with their local FBI field office as one step towards mitigating the possibility that PII is handed over to the wrong people.

“Through these partnerships, FBI can assist with identifying vulnerabilities and mitigating potential threat activity,” the notice [PDF] reads. “FBI further recommends organizations review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.

“The cybersecurity landscape is ever-evolving, and cyber threats are becoming increasingly sophisticated. Organizations need to stay ahead of the curve using proactive approaches to mitigate risks.”

Submitting a fraudulent EDR doesn’t guarantee a PII-packed response, it should be said. They are not successful in every case.

Per the feds’ notice, PayPal was served a fake Mutual Legal Assistance Treaty (MLAT) notice in March, which is typically used when two or more countries want to collaborate and share data to support criminal investigations.

The specific case saw the criminals behind the request reference a local investigation into child trafficking, including a genuine case number and legal code, but PayPal didn’t fulfill the request for reasons unknown.

Checking the validity of the legal code is another move private sector companies receiving an EDR can make to ensure they’re not giving up personal data to unauthorized people.

The FBI recommends adopting critical thinking whenever an EDR is sent their way, and the need to understand the common tactics used by criminals to hurry along the process.

“Cybercriminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request,” the notice reads. “FBI recommends reviewers pay close attention to doctored images such as signatures or logos applied to the document.

“In addition, FBI recommends looking at the legal codes referenced in the emergency data request, as they should match what would be expected from the originating authority. For example, if this request is coming from a country outside of the United States, it should not appear to be copied and pasted language from the US Title Code. Similarly, a foreign country’s law enforcement would not be attaching a US subpoena.

“If suspicion and the need for validation arises, the FBI recommends contacting the sender and originating authority to discuss the request further.”

Ahead of his Black Hat talk earlier this year, Jacob Larsen, threat researcher and offensive security lead at CyberCX, told The Register that EDRs are “still in common use.”

“Whilst they were previously reserved for sophisticated threat actors and the cost of submitting fraudulent EDRs was prohibitive ($5k+ per request), my research uncovered threat actors selling fraudulent EDRs for as low as $500 for three platform requests,” he said.

“It’s being used by all types of cybercriminals with various objectives now; the barrier to entry is much lower.”

Larsen added that EDRs are often used to supplement the data records stolen through other means such as infostealers, remote access trojans (RATs), and social engineering techniques. ®