“Hackers Gaining Power of Subpoena Via Fake ‘Emergency Data Requests’”, Brian Krebs2022-03-29 (crime, computer security, law, tech)⁠:

[Bloomberg confirmation] There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

…It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately…“And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately”, Rasch continued. “Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply.”…To make matters more complicated, there are tens of thousands of police jurisdictions around the world—including roughly 18,000 in the United States alone—and all it takes for hackers to succeed is illicit access to a single police email account.

…The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn”. On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly”, read Everlynn’s ad, which was posted by the user account “InfinityRecursion.” A month prior on Cracked, Everlynn posted a sales thread, “1× Government Email Account || BECOME A FED!”, which advertised the ability to send email from a federal agency within the government of Argentina.

“I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.”, Everlynn’s sales thread explained, setting the price at $150. “You can breach users and get private images from people on Snapchat like nudes, go hack your girlfriend or something ha ha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don’t use a VPN. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more.”

…KrebsOnSecurity recently interviewed the past and current owner of the Doxbin—an established hacker who goes by the handle “KT.” According to KT, it is becoming more common for hackers to use EDRs for stalking, hacking, harassing and publicly humiliating others. KT shared several recent examples of fraudulent EDRs obtained by hackers who bragged about their success with the method. “Terroristic threats with a valid reason to believe somebody’s life is in danger is usually the go-to”, KT said, referring to the most common attestation that accompanies a fake EDR.

One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year. The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request. “Discord replies to EDRs in 30 minutes to one hour with the provided information”, KT claimed. Asked about the validity of the unauthorized EDR shared by KT, Discord said the request came from a legitimate law enforcement account that was later determined to have been compromised.

…KT said fake EDRs don’t have to come from police departments based in the United States, and that some people in the community of those sending fake EDRs are hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization. In other cases, KT said, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously. “A lot of governments overseas are using WordPress, and I know a kid on Telegram who has multiple shells on gov sites”, KT said. “It’s near impossible to get US dot-govs nowadays, although I’ve seen a few people with it. Most govs use [Microsoft] Outlook, so it’s more difficult because there’s usually some sort of multi-factor authentication. But not all have it.”