Hackers Gaining Power of Subpoena via Fake ‘Emergency Data Requests’ krebsonsecurity.com

Brian Krebs:

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

Bold. Yet again, the most effective techniques for illicitly obtaining information are confidence tricks, not technical expertise. People Krebs interviewed acknowledge this kind of attack is virtually impossible to defend against without, in the words of one security specialist, “completely redoing how we think about identity on the internet on a national scale”. I am sure that is true an international scale, too; these requests are sent by law enforcement agencies around the world in a legitimate capacity, which opens them all up to fraud.

William Turton, Bloomberg:

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.

Snap Inc. received a forged legal request from the same hackers, but it isn’t known whether the company provided data in response. It’s also not clear how many times the companies provided data prompted by forged legal requests.

Discord also provided data, according to Krebs.