Emergency data request abuse

Image of police car lights - Destination Certification

Many of us know that encryption backdoors are bad for security. If we design systems that have a backdoor solely for the authorities to use, then this backdoor also presents a weakness that hackers may also be able to take advantage of. For the most part, the tech community has been able to fend off any encryption backdoors when they have been pushed by various governments. However, we do have legal backdoors.

Regulations differ from country to country, but there is a public benefit for there to be legal backdoors for certain circumstances. Let’s say an anonymous Twitter/X user posts a picture of a homemade bomb with a message saying, “I’m on my way to blow up the courthouse!” In the interest of public safety, it seems reasonable for there to be some mechanism for X to hand over any data they have so that the authorities can identify and stop the attacker.

In some circumstances, the authorities need to go through the courts to get a warrant before they can compel companies to provide user data. When the situation is urgent, the authorities can send emergency data requests (EDRs) through to companies to substantially speed up the process. Over the past few years, we have seen an uptick in fraudulent emergency data requests.

What are fraudulent emergency data requests?

Earlier this month, the FBI posted a Private Industry Notification, warning of an increase of fraudulent emergency data requests. Basically, hackers are compromising the email accounts of law enforcement and then using these accounts to submit fraudulent emergency data requests to tech companies. The tech companies assume that these requests are legitimate and hand over the data. Once hackers have the data, they can use it in a range of other cybercrimes, such as fraud, doxing, or spearphishing.

Emergency data requests are generally issued in situations where there is an immediate threat. This poses a major challenge to the recipients of potentially fraudulent requests—they don’t have much time to verify the request before handing over the data. If they give in, they could be handing over personal data to a bad actor. If they take too long to verify the request, the extra time could cost lives. This is an especially difficult decision to make when the request is coming from a legitimate law enforcement email.

The ecosystem has evolved to such a state that there is a burgeoning market for these law enforcement email addresses. Cybercriminals are now posting these email addresses for sale on darknet marketplaces, alongside guides for how to submit an emergency data request.

Mitigating fraudulent emergency data requests

Unfortunately, apart from fairly general cybersecurity tips, the FBI document doesn’t provide much information for how organizations can protect themselves and their users from fraudulent emergency data requests. It recommends liaising with the regional FBI offices, as well as to apply critical thinking when receiving these requests. It also suggests paying close attention to doctored images in the requests and looking carefully for other hallmarks of fraud.

One of the best pieces of advice from the document is to contact the sender to verify the request. You should do this via another channel, such as a phone number or another email address. In most cases of fraud, the hacker will only have control of one address, so if you contact the law enforcement agency through another channel, they should be able to confirm whether or not the request is legitimate.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]

>