Criminal hackers have found a way to impersonate law enforcement and government agencies to obtain sensitive data from phone companies, internet service providers and social media platforms, leading security web site, Krebs on Security, reported this week.
The scam works by compromising email accounts and other online resources belonging to law enforcement and using those credentials, and claims that the need is urgent, to demand customer information. Tech expert Omar Gallaga told Texas Standard the hackers use emergency data requests, or EDRs, often claiming that not providing the requested data would put lives at risk.
Highlights from this segment include:
– Law enforcement and government agencies use EDRs to request data, including posts, contacts and other information, when the agency believes access to the data could prevent imminent danger or save lives. EDRs take the place of subpoenas in urgent situations.
– Hackers spoof email addresses, or gain access to law enforcement accounts so that requests for data appear valid to tech companies receiving them. Companies targeted include Apple, Discord and Meta (parent of Facebook.)
– LAPSUS$ is among the most prominent of the hacker groups involved in fake EDRs. The group includes teenagers who sell access to law enforcement credentials, which can then be used to target specific users’ data.
– Stopping the practice has proved difficult, though both the FBI and Congress have begun looking into potential remedies.
