Hackers using cop emails to steal user data from Apple, Google & others

in General Discussion
Criminal hackers are reportedly using an effective and sneaky technique with purloined law enforcement emails to steal user data from big tech, ISPs, carriers, and social media companies.

Credit: KrebsOnSecurity
Credit: KrebsOnSecurity

More specifically, attackers are apparently masquerading as law enforcement officials to obtain subpoena privileged data, according to cybersecurity journalist Brian Krebs. Generally, they're using compromised law enforcement email accounts.

The tactic also relies on a type of government inquiry called an Emergency Data Request (EDR). Normally, technology companies will only hand over user data with a court order warrant or subpoena. However, authorities can make an EDR in cases involving the threat of imminent harm or death -- bypassing the need for court-approved documents or official review.

According to Krebs, malicious hackers have figured out that there's no easy way for technology companies and social media firms to verify whether an EDR is legitimate.

"Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately," Krebs wrote.

The reporter found evidence of cybercriminals selling "warrant/subpoena service" to potential buyers, which they claim can get law enforcement data access from services such as Apple, Google, and Snapchat.

There's no easy way to mitigate the problem, either. Technology companies faced with an EDR have the uncomfortable choice of complying with a potentially fake request or denying a legitimate one -- and possibly putting someone's life at risk.

According to security specialist Nicholas Weaver of the University of California, Berkeley, the only way to clean up the vulnerability is for an agency like the FBI to act as the "sole identity provider for all state and local law enforcement."

"But even that won't necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?" Weaver asked.

However, the tactic may not be as widespread as other exploitation methods because many cybercriminals think of it as "too risky."

"It's highly risky if you get caught," Weaver said. "But doing this is not a matter of skill. It's one of will. It's a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale."

In July 2021, U.S. lawmakers introduced a bill that could help. The legislation would call for fund to be provided to state and tribal courts so that they can adopt digital signature technology to stamp down on counterfeit court orders.

Read on AppleInsider


  • Reply 1 of 4
    bloggerblogbloggerblog Posts: 2,432member
    Not sure what the tech limitation is here. Just provide a system where the police is required to send a unique ID with each EDR, the ID is generated by a separate system that can be verified on the other end. No matter what email address the email originates from, there's an ID for verification.
  • Reply 2 of 4
    jidojido Posts: 124member
    Digital signature, as in, PGP signed?
    Doesn’t Apple already do that for iCloud to iCloud communication?

    That’s such a simple answer I don’t understand why it’s not already the norm. 
  • Reply 3 of 4
    boboliciousbobolicious Posts: 1,128member
    ...I've never understood if privacy is a purported focus for Apple why iCloud email remains unencrypted on their servers and S/MIME has been left to the customer to implement...


    Is nuance in wording critical in understanding Apple's carefully crafted representations, and perhaps far more importantly Apple intention... ?
    edited March 2022
  • Reply 4 of 4
    badmonkbadmonk Posts: 1,226member
    Makes the whole “law enforcement needs a backdoor into encrypted communication and databases to fight crime” argument seem like a bad idea.  Turns out criminals will bugger that door.  Once again privacy and security are perpetually at risk and the greater problem.
Sign In or Register to comment.