The FBI's Internet Crime Complaint Center (IC3) recently issued a Private Industry Notification (PIN) about an alarming rise in fraudulent emergency data requests (EDRs) targeting U.S.-based companies.
Criminals are leveraging compromised government email addresses to request sensitive user data under the guise of emergencies, exposing customer personally identifiable information (PII) to further exploitation. This trend, which builds on past techniques observed in cases involving groups like Lapsus$, is gaining traction in criminal forums, where compromised email credentials are sold alongside explicit guides for carrying out fraudulent EDRs.
Rise of fraudulent Emergency Data Requests
According to
the report, there has been a significant increase in cybercriminal activity involving EDRs facilitated by compromised U.S. and foreign government email accounts. These fraudulent requests are designed to bypass typical verification protocols by creating a sense of urgency, allowing cyber actors to access private user information from companies without extensive checks. Criminals are not only sharing methods on forums but are also selling “high-quality .gov emails” that grant access to classified user data.
Notable incidents highlighted by the FBI include:
- August 2024: A cybercriminal advertised compromised U.S. government emails for espionage and data extortion, guiding buyers through the EDR submission process.
- March 2024: Another criminal claimed to have access to government emails from over 25 countries, which could be used to access private client information through fraudulent subpoenas.
- October 2023: A criminal offered insights on using .gov emails to impersonate law enforcement officers, leveraging data acquired via EDRs to initiate phishing and malware attacks on government entities.
Employed techniques
These cyber actors exploit EDRs by crafting urgent, seemingly legitimate requests for information, often under high-stakes scenarios. One incident involved a fabricated legal document submitted to PayPal in March 2024, ostensibly related to a sensitive investigation, but was ultimately flagged and rejected by the platform.
Cybercriminals have gone so far as to offer training for others on submitting fraudulent EDRs, often for a fee. This tactic capitalizes on the immediate nature of emergency requests, preying on companies' readiness to cooperate with law enforcement.
This rise in Emergency Data Requests fraud places both companies and the public at risk. Affected firms, often operating in the tech and social media sectors, face significant breaches of trust if customer data is improperly accessed and misused.
Law enforcement agencies and governmental bodies are also impacted, as compromised official email accounts reduce their credibility, and fraudulent activities by criminals claiming to act on behalf of these agencies can lead to operational inefficiencies and loss of public trust.
Recommended measures
The FBI advises a multi-layered approach to mitigate these risks:
- Verify the authenticity of EDRs by examining document signatures, logos, and legal codes, especially for requests from foreign entities, which should not include U.S.-specific codes.
- Strengthen password requirements, enforce multi-factor authentication (MFA), and regularly audit user accounts with administrative privileges.
- Establish strong communication channels with local FBI Field Offices can facilitate quick identification of vulnerabilities and improve threat response.
- Segregate networks to limit lateral movement opportunities for attackers, monitor external connections, and restrict RDP access.
- Consider adopting time-based access controls for high-privilege accounts to mitigate unauthorized access.
By adhering to these practices, businesses can better safeguard their systems against EDR-related attacks and improve their overall cybersecurity posture. The FBI also encourages companies to report any suspicious EDR activity to IC3 to assist in tracking and mitigating this growing threat.
