Hackers Exploit Fake Emergency Data Requests to Access Sensitive Data

Threat actors are increasingly taking advantage of emergency data request (EDR) systems to extract highly sensitive user data from major online platforms. EDRs are intended to grant government and law enforcement the means to locate individuals in potentially life-threatening situations.

The data granted by a successful EDR can include users’ IP addresses, phone numbers, and even physical addresses. A criminal having access to such data can use it to commit identity fraud, phishing and doxxing attacks, or even track victims’ location data in real time.  Bad actors who impersonate government or law enforcement officials can exploit this sensitive data to devastating effect.

A thriving black market

Bad actors on hacking forums and darknet marketplaces are selling fake EDRs and fake government email addresses, which may be used to submit EDRs to major online platforms. As well as sharing tips on crafting convincing fake requests, these forums allow for the sale of access to compromised government and law enforcement email accounts. Vendors can be found offering fake EDR services for as little as $100, with some claiming a turnaround time of as little as 30 minutes.

 

A vendor on a darknet forum offering fake EDRs as a service

Our research uncovered threat actors offering EDRs as a service targeting a wide range of online platforms, including:

• Social media networks 
• Dating apps
• Cryptocurrency exchanges
• Image hosting services
• Rideshare platforms

Threat actors also claim that they are able to leverage compromised government and law enforcement email addresses from dozens of countries in order to obtain sensitive user information. 

Legal and reputational risks to companies

Technology companies serving large numbers of users are inundated with legitimate requests from law enforcement and government agencies, with an estimated hundreds of thousands of EDRs granted each year. Threat actors exploiting this system place all these platforms in a difficult position, with the chance that they may either leak sensitive information to criminal elements or prevent emergency services from reaching individuals at immediate risk. 

Mitigation through cooperation

In order to prevent either undesirable outcome, it is up to online platforms, in cooperation with law enforcement, to create a more robust EDR verification system. Among the best practices we recommend are implementing tracking mechanisms for EDRs, which log metadata like IP addresses and may help security teams to spot suspicious anomalies before complying with the request.

In addition, cooperation with threat intelligence providers can help keep tabs on threat actor chatter associated with EDRs. This means that technology companies can stay ahead of the curve of new trends, and identify the threat actors and compromised email addresses involved in fake EDR activity. 

Companies can attempt to spot specific trends and threat actors through routine searches of hacker forums, public channels, groups, and messaging apps where EDR vendors tend to facilitate communication with their buyers.

 

Conclusion: Only proactive measures can keep user data safe

Mitigating the damage to user safety is a difficult balancing act for online platforms. Closer scrutiny of incoming emergency data requests could delay law enforcement or government officials from aiding victims in potentially life-threatening situations. On the other hand, granting requests to authorities without knowing who is really making the request can lead to severe breaches in data security. 

Creating a more secure mechanism for validating EDRs will require cooperation with the authorities responsible for sending such requests, as well as a proactive approach that helps platforms stay aware of the means and methodologies allowing threat actors to target sensitive user data.