My latest story revisits the problem of fake Emergency Data Requests (EDRs), where cybercriminals use hacked/phished police dept email accounts to request subscriber data from a range of tech/social media companies.The FBI issued an alert this week warning about a rise in fake EDR services. I spoke w/ the CEO of Kodex, a platform that Coinbase and 59 other companies require law enforcement officials to register at in order to submit legal process. There are 18K+ police jurisdictions in the US, and many thousands more globally, so it's unrealistic to expect tech firms to maintain an extensive rolodex. Kodex tackles the challenges of fake EDRs and subpoenas by letting tech firms see if any other customers have received requests from the same sender, and assigns each submitter a confidence rating.An increasing number of fake EDR vendors are advertising access to Kodex law enforcement accounts, but creating an account with a legit law enforcement email is not hard: Sending from one is. Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed a second-level verification. Kodex reports it has suspended nearly 4,000 law enforcement users in the past year, including:-1,521 from the Asia-Pacific region;-1,290 requests from Europe, the Middle East and Asia;-460 from police departments and agencies in the United States;-385 from entities in Latin America, and;-285 from Brazil.Here's something else I learned (and the fraud possibilities in the short run here are virtually limitless): "Donahue said one concern shared by recent prospective customers is that crooks are seeking to use phony law enforcement requests to freeze and in some cases seize funds in specific accounts.“What’s being conflated [with EDRs] is anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include control over data, like an account freeze or preservation request.”In a hypothetical example, a scammer uses a hacked government email account to request that a service provider place a hold on a specific bank or crypto account that is allegedly subject to a garnishment order, or party to crime that is globally sanctioned, such as terrorist financing or child exploitation.A few days or weeks later, the same impersonator returns with a request to seize funds in the account, or to divert the funds to a custodial wallet supposedly controlled by government investigators.“In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a freeze order, that’s a way to establish trust, because [the first time] they’re not asking for information. They’re just saying, ‘Hey can you do me a favor?’ And that makes the [recipient] feel valued.”https://krebsonsecurity.com/2024/11/fbi-spike-in-hacked-police-emails-fake-subpoenas/https://www.ic3.gov/CSA/2024/241104.pdf
+0
+0
+0
+0
+0
