Social Engineering by “Emergency Data Request”
Bloomberg has reported that forged “Emergency Data Requests” last year induced Apple and Meta to surrender “basic subscriber details, such as a customer’s address, phone number and IP address.”
Emergency Data Requests (EDSs) come from US law enforcement authorities. But don’t they need a warrant to ask for this kind of information? Yes, normally they do. Brian Krebs explains, “In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.”
And what about tech companies like Apple and Meta? Don’t they know how to receive and respond to warrants? Again, yes, they do. Krebs explains further: “Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.”
So what’s going on with EDRs? They’re a bit different. They’re issued in special circumstances by law enforcement agencies when the authorities are concerned about a clear, imminent danger, and they can be issued without the usual legal and judicial review.
As Krebs puts it, “But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.” This is the proverbial ticking time bomb, when law enforcement needs information immediately because the threat is both imminent and grave. And of course a company receiving that kind of request wants to comply. No one wants mayhem, especially mayhem their cooperation might have prevented, and so the recipient is likely to choose responsive, quick disclosure over insistence on procedural privacy safeguards.
Unfortunately, it’s difficult to determine whether an EDR (which, remember, is by its very nature an emergency measure designed to bypass ordinary procedures) is real or not. “It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,” Krebs writes. “Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.”
Thus urgency, here as in so many other cases, seems to have served to lower the victims’ guard. None of the companies who were affected by the scam are without experience in handling requests from law enforcement, and they all have policies in place to prevent this sort of thing from happening. The social engineers found the procedural gap and drove through it. Changes to policy, and especially some reliable means of authenticating EDRs, should help alleviate the problem.
Researchers suspect that some, perhaps all, of those responsible for the caper were minors in the UK and the US, some of whom may also be involved with the Lapsus$ group, others with the (possibly now defunct) Recursion Team. In this case, as in so many others, realistic new school security awareness training can help employees smoke out suspicious approaches.