Criminals Are Still Using Bogus Law Enforcement Subpoenas To Obtain Users’ Info
from the abusing-the-same-tools-the-cops-abuse dept
Maybe if law enforcement didn’t abuse subpoenas so frequently, it might be a little bit more difficult for criminals to do the same thing. Subpoenas can be used to order companies and service providers to turn over user data and information. But they don’t require law enforcement to run this request past a court first, so subpoenas are the weapon of choice if investigators just don’t have the probable cause they need to actually obtain a warrant.
The FBI has a long history of abusing its subpoena power, crafting National Security Letters to obtain information it thinks it might not be able to acquire if it allowed a court to review the request. In fact, FBI investigators have been known to send out NSLs demanding the same info requested by their rejected warrant applications.
Most companies don’t have the time or personnel to vet every subpoena they receive to ensure it’s legitimate and only demanding info or data that can be legally obtained without a warrant. As long as it originates from a law enforcement email address or has some sort of cop shop logo on it, they’ll probably comply.
This has led to several successful exfiltrations of personal data by cybercriminals. The latest wave of bogus subpoenas has apparently been effective enough, the FBI (which is part of the problem) has decided it’s time to step in. Here’s Zack Whittaker with the details for TechCrunch:
The FBI’s public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone’s life or property. The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an “uptick” around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness.
“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory.
The full notice [PDF] gives more detail on how this is being accomplished, which involves utilizing data and personal info obtained through previous hacks or data leaks. Once a criminal has enough information to impersonate a cop, all they need is some easy-to-find subpoena boilerplate and a little bit of info about their targets. It also helps to know what might motivate faster responses while limiting the number of questions asked by service providers.
In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information.
To combat this, the FBI suggests recipients of law enforcement subpoenas start doing the sort of thing they should have been doing all along, which is also the sort of thing that law enforcement agencies seem to consider being a low-level form of obstruction. Investigators tend to be “We’ll be asking the questions here” people and seem to resent even the most minimal pushback when engaging in fishing expeditions via subpoena.
Private Sector Companies receiving Law Enforcement requests should apply critical thinking to any emergency data requests received. Cyber-criminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request. FBI recommends reviewers pay close attention to doctored images such as signatures or logos applied to the document. In addition, FBI recommends looking at the legal codes referenced in the emergency data request, as they should match what would be expected from the originating authority.
The rest of the notice tells law enforcement agencies to do all the basic security stuff they should have been doing all along to prevent exactly this sort of thing from happening.
But what’s not suggested as a fix is one of the more obvious solutions: move away from utilizing subpoenas and rely on warrants instead. This will prevent service providers stepping into the role of magistrate judge when receiving subpoenas to determine whether the request is legitimate and is properly supported by existing law. It also will make it more difficult for cybercriminals to do little more than send emails from compromised accounts to fraudulently obtain user information. While it’s not impossible to forge court orders and warrants, it’s a bit more difficult than only having to impersonate a single person or law enforcement entity when sending bogus paperwork to tech companies.
Of course, no law enforcement agency would be willing to make this switch even if it meant protecting thousands of innocent people from being victimized by cybercriminals. Whatever makes things easier for cops to get what they want also makes it easier for criminals to do the same thing. If nothing else, maybe a few law enforcement officials will realize the parallels this has to mandating weakened encryption or encryption backdoors: what works better for cops works better for criminals.
Filed Under: cybercrime, fbi, privacy, security, subpoenas
Comments on “Criminals Are Still Using Bogus Law Enforcement Subpoenas To Obtain Users’ Info”
Theses kind of phishing are pretty common (with often the need of an urgent response) and AI can produce very convincing emails, but since they’re supposed to come from federal law enforcement, why not just opening a (private) ticket on FBI website to know it’s from a legit provider and not some random joe@fbi.com?
Re:
… I see what you did there.
It also pays to verify phone numbers you are supposed to respond to. Just because the person on the other end responds “FBI office” doesn’t mean it’s an FBI office.
Racketeering involves protecting your racket
It is important to tell those from genuine US and foreign government email addresses used for conducting fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal (read “unlawful”) purposes.
Because although either is of course illegal, the latter is less likely to draw the ire of authorities tasked with protecting U.S. citizens from such abuse and expose the companies to a serious risk of finger-wagging.
Techdirt:
Techdirt commenters:
Techdirt trolls, the Fifth Circuit, et al.:
Except that copy and paste means no doctoring is required.
Right, because cybercriminals never search legal codes ever. So they would never be able to send a fake subpoena to Mike (for example) under Title 17, Sections 501 and 1101 for the alleged offense of illegally downloading music files.
Second attempt
Except that copy and paste means no doctoring is required.
Right, because cybercriminals never search legal codes ever. So they would never be able to send a fake subpoena to Mike (for example) under Title 17, Sections 501 and 1101 for the alleged offense of illegally downloading music files.
This is where security theater makes things worse
“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them […]
Before I get started, I should note that this observation isn’t original with me; it’s from one of the Internet’s most senior email admins. I’m just restating it here.
Over the past 20 years or so, a number of “anti-forgery” email technologies have been deployed: SPF, DomainKeys, DKIM, DMARC, and so on. The details aren’t important. What’s important is that they’re out there and that a lot of UI changes have been made as a consequence. In particular, messages which pass validation by one/more of these technologies are marked “authenticated” or “valid” or “verified” in the user interfaces of an increasing number of email systems, including some of the biggest.
This in turn is training users that if the UI says the message is authentic…it is. I trust you see where this is going: once someone has control of an email account, anything they send will be labeled as legitimate, recipients will glance at that and not question it, and then they’ll act on it.
Which means that we’re much, much worse off than we were 20+ years ago, when we trained users (as best as we could) to NEVER believe the content of an important mail message without independent/out-of-band verification. And given that batches of email account credentials are readily available in any quantity on darknet sites, any attacker who feels like it can exploit this cheaply and at will.
'What do you mean security exploits we demanded are being used by other people?!
I am shocked, shocked I say to find out that criminals aren’t blithering idiots and have caught on to the fact that law enforcement loves their warrantless demands for information so much that they’ve trained companies to just hand over whatever is ‘requested’ without asking questions or pushing back so long as the one issuing the ‘requests’ has a badge or claims to have the related authority.
Who ever could have seen that coming?
Re:
Well, to be honest, we have been taking the truly stupid ones – the ones who post selfies of themselves in the white house during a riot, the ones who post pictures of the gun they’re not allowed to own, etc – out of the crime pool.
Re:
Everyone. It is a universal truth that corners will be cut until walls come tumbling down. Treason is a less dreadful opponent than convenience.