Late last year, the FBI issued a Private Industry Notification (PIN) alerting U.S.-based companies and law enforcement agencies about the rise in fraudulent Emergency Data Requests (EDRs) used by cybercriminals. While not a new tactic, cybercriminals have started using them again, triggering the aforementioned PIN. EDRs are urgent requests for sensitive user data, typically reserved for life-threatening situations, bypassing the standard warrant process. Hackers exploit this by posing as legitimate law enforcement officers and tricking companies into releasing private user data. These requests have been particularly impactful for technology companies, such as Google, that manage vast amounts of personal data.

As of August, the FBI started noticing an increase in underground postings regarding fraudulent EDRs. Criminals are likely gaining access to government officials’ email accounts and sending the EDRs using those.

The FBI highlighted the ease with which attackers manipulate online identity, often hacking official law enforcement email accounts to make their requests appear authentic. This was done notably by the LAPSUS$ group. In 2022, the group hacked into some of the largest technology companies such as Microsoft and NVIDIA by impersonating law enforcement officials.

The agency emphasized that without comprehensive identity verification for requesters, there is no foolproof way to verify an EDR's legitimacy in real time. The potential consequences of successfully exploiting this range from user privacy breaches to the manipulation of private data for illegal activities, such as harassment or extortion.

To avoid falling victim to these fraudulent requests, the FBI offered the following tips for organizations and individuals:

Organizations:

• Review the security posture of all third-party vendors associated with your organization.
• Monitor external connections for anomalies.
• Implement an incident recovery plan and keep it updated.
• Use secure password storage and require strong passwords.
• Offer multi-factor authentication to users.
• Apply updates and patches immediately.
• Configure accounts according to the principle of least privilege.
• Use Secure Remote Desktop protocols.

Individuals:

• Use strong passwords that combine letters, numbers, and special characters.
• Keep all software and systems updated.
• Use two-factor authentication when available.
• Segment home networks. Typically, two network segments are available on home routers. Use one for all Internet of Things (IoT) products such as doorbells and thermostats and the other for your personal items such as laptops and smartphones.
• Keep all software and operating systems up to date.
• Remember never to use contact information sent in suspicious messages. Instead, look the information up independently.

The most important tip from the FBI is to apply critical thinking to any EDR you may see. This applies to any link or attachment that may be even slightly suspicious. If you have your doubts, you should probably trust them.

This PIN underscores the urgent need for reforms in how emergency data requests are processed, as well as increased vigilance from companies managing sensitive user data to protect against unauthorized access.

For additional information, you can look up PIN 20241104-001 on the IC3 website.