Hackers using cop emails to steal user data from Apple, Google & others

Credit: KrebsOnSecurity

More specifically, attackers are apparently masquerading as law enforcement officials to obtain subpoena privileged data, according to cybersecurity journalist Brian Krebs. Generally, they're using compromised law enforcement email accounts.

The tactic also relies on a type of government inquiry called an Emergency Data Request (EDR). Normally, technology companies will only hand over user data with a court order warrant or subpoena. However, authorities can make an EDR in cases involving the threat of imminent harm or death — bypassing the need for court-approved documents or official review.

According to Krebs, malicious hackers have figured out that there's no easy way for technology companies and social media firms to verify whether an EDR is legitimate.

"Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately," Krebs wrote.

The reporter found evidence of cybercriminals selling "warrant/subpoena service" to potential buyers, which they claim can get law enforcement data access from services such as Apple, Google, and Snapchat.

There's no easy way to mitigate the problem, either. Technology companies faced with an EDR have the uncomfortable choice of complying with a potentially fake request or denying a legitimate one — and possibly putting someone's life at risk.

According to security specialist Nicholas Weaver of the University of California, Berkeley, the only way to clean up the vulnerability is for an agency like the FBI to act as the "sole identity provider for all state and local law enforcement."

"But even that won't necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?" Weaver asked.

However, the tactic may not be as widespread as other exploitation methods because many cybercriminals think of it as "too risky."

"It's highly risky if you get caught," Weaver said. "But doing this is not a matter of skill. It's one of will. It's a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale."

In July 2021, U.S. lawmakers introduced a bill that could help. The legislation would call for fund to be provided to state and tribal courts so that they can adopt digital signature technology to stamp down on counterfeit court orders.