FBI says hackers are sending fraudulent police data requests to tech giants to steal people’s private information

Date:

Share post:


The FBI is warning that hackers are obtaining private user information — including emails and phone numbers — from U.S.-based tech companies by compromising government and police email addresses to submit “emergency” data requests.

The FBI’s public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone’s life or property. The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an “uptick” around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness.

“Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory.

Police and law enforcement in the U.S. generally need some kind of legal justification to seek and obtain access to private data that companies store on their servers. Typically for a person’s private content, like their files, emails or messages, police need to provide enough evidence of a possible crime before a U.S. court will issue a search warrant allowing the police to request that information from a private company. Police can issue subpoenas — which don’t require going to a court — requesting companies to access limited amounts of information about a user, such as their basic account information, like their username, account logins, email addresses and phone numbers, and sometimes their approximate location.

There are also emergency requests, a procedure in which law enforcement can urgently seek a person’s information from a company in the event of an immediate risk, where there is no time to seek a court order.

It’s these emergency requests that federal authorities say some cybercriminals are abusing.

The FBI said in its advisory that it had seen several public posts made by known cybercriminals over 2023 and 2024, claiming access to email addresses used by U.S. law enforcement and some foreign governments. The FBI says this access was ultimately used to send fraudulent subpoenas and other legal demands to U.S. companies seeking private user data stored on their systems.

The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information.

The FBI said the compromised access to law enforcement accounts allowed the hackers to generate legitimate-looking subpoenas that resulted in companies turning over usernames, emails, phone numbers, and other private information about their users. But not all fraudulent attempts to file emergency data requests were successful, the FBI said.

Cybercriminals often use the requested data for harassment, doxing, and targeting individuals with financial fraud schemes, according to a Bloomberg report from 2022, which found at the time that hackers had obtained user information from customers of Apple, and Facebook and Instagram-owner Meta, by filing fraudulent emergency data requests. Snap, the maker of Snapchat, and Discord were also reportedly targeted.

Apple, Google, Meta, and Snap, which store huge amounts of customers’ personal and private data, collectively receive tens of thousands of emergency data requests every year.

Bloomberg reported in 2022 that some of the fraudulent emergency data requests date as far back as early 2021, and were carried out by groups of mostly teenagers and young adults, such as Recursion Team, and later, Lapsus$, which went on to hack into some of the world’s largest companies, including Uber.

The FBI said in its advisory that law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication. The FBI said that private companies “should apply critical thinking to any emergency data requests received,” given that cybercriminals “understand the need for exigency.”



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Supersonic aircraft startup Exosonic is shutting down

Exosonic, a startup developing supersonic commercial air travel and UAV tech, is winding down after five years...

Tesla is part of the trillion-dollar club again

Tesla shares have popped since the U.S. election as investors bet that a Trump presidency will benefit...

Led by a founder who sold a video startup to Apple, Panjaya uses deepfake techniques to bite into video dubbing

There’s a big opportunity for generative AI in the world of translation, and a startup called Panjaya...

Block scales back TIDAL investment and shutters TBD in favor of Bitcoin mining

Jack Dorsey’s Block is scaling back its investment in TIDAL, the music streaming platform once owned by...

Crypto CEO kidnapped in Toronto, released after paying $1M ransom

The CEO of Canadian cryptocurrency firm WonderFi was kidnapped and held for ransom on Wednesday, according to...

Amazon may up its investment in Anthropic — on one condition

Amazon is considering increasing its investment in OpenAI rival Anthropic. According to The Information, Amazon is in talks...

AI-powered parenting is here and a16z is ready to back it 

AI wants to help us drive better, write better and diagnose diseases faster. Now imagine AI helping...

Yelp just spent $80M on a site for car repair estimates

Yelp, which made a name for itself giving restaurant recs, just bought an auto services website. In the...