31 MARCH 2022 - Krebs on Security ran an in-depth piece on a scary new scam this week, that’s seeing ne’er-do-wells get info from big companies by pretending to be law enforcement. It’s kind of convoluted, but stick with me. If law enforcement wants info on an individual or group, it needs a court order. “But,” (and don’t you like to hear that) Krebs says:

…in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It seems that hackers have compromised “email accounts and websites tied to police departments and government agencies,” and have started serving these EDR requests. Since “there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,” and since time is thought to be of the essence, it seems the information’s just kind of being handed over. 

Why bring this up here? Because Apple may have been one of the companies giving up info for fake EDRs. Bloomberg (via Yahoo Finance) has three secret sources saying that Apple and Facebook have fallen prey to these scams. The piece says the two companies “provided basic subscriber details, such as a customer’s address, phone number and IP address…” Bloomberg says:

The information obtained by the hackers using the forged legal requests has been used to enable harassment campaigns, according to one of the people familiar with the inquiry. The three people said it may be primarily used to facilitate financial fraud schemes. By knowing the victim’s information, the hackers could use it to assist in attempting to bypass account security.

Apple seems to have declined to comment, choosing instead to point Bloomberg toward “a section of its law enforcement guidelines.” The report says:

The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate…” 

Those are words, but I’m not sure they’re really an answer. For its part, Facebook said:

We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse… We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.

Those are also words, the last seven of which seem to have Facebook saying, “yeah, we got fooled.” Can’t really blame either company - or any company that gets duped. As Krebs on Security points out:

…there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.

Hey, maybe we should rethink the whole EDR thing.

I know - you’re the doctor. I’m the patient.