Criminals Are Still Using Bogus Law Enforcement Subpoenas To Obtain Users’ Info

Maybe if law enforcement didn’t abuse subpoenas so frequently, it might be a little bit more difficult for criminals to do the same thing. Subpoenas can be used to order companies and service providers to turn over user data and information. But they don’t require law enforcement to run this request past a court first, so subpoenas are the weapon of choice if investigators just don’t have the probable cause they need to actually obtain a warrant.

The FBI has a long history of abusing its subpoena power, crafting National Security Letters to obtain information it thinks it might not be able to acquire if it allowed a court to review the request. In fact, FBI investigators have been known to send out NSLs demanding the same info requested by their rejected warrant applications.

Most companies don’t have the time or personnel to vet every subpoena they receive to ensure it’s legitimate and only demanding info or data that can be legally obtained without a warrant. As long as it originates from a law enforcement email address or has some sort of cop shop logo on it, they’ll probably comply.

This has led to several successful exfiltrations of personal data by cybercriminals. The latest wave of bogus subpoenas has apparently been effective enough, the FBI (which is part of the problem) has decided it’s time to step in. Here’s Zack Whittaker with the details for TechCrunch:

The FBI’s public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone’s life or property. The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an “uptick” around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory.

The full notice [PDF] gives more detail on how this is being accomplished, which involves utilizing data and personal info obtained through previous hacks or data leaks. Once a criminal has enough information to impersonate a cop, all they need is some easy-to-find subpoena boilerplate and a little bit of info about their targets. It also helps to know what might motivate faster responses while limiting the number of questions asked by service providers.

In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information.

To combat this, the FBI suggests recipients of law enforcement subpoenas start doing the sort of thing they should have been doing all along, which is also the sort of thing that law enforcement agencies seem to consider being a low-level form of obstruction. Investigators tend to be “We’ll be asking the questions here” people and seem to resent even the most minimal pushback when engaging in fishing expeditions via subpoena.

Private Sector Companies receiving Law Enforcement requests should apply critical thinking to any emergency data requests received. Cyber-criminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request. FBI recommends reviewers pay close attention to doctored images such as signatures or logos applied to the document. In addition, FBI recommends looking at the legal codes referenced in the emergency data request, as they should match what would be expected from the originating authority.

The rest of the notice tells law enforcement agencies to do all the basic security stuff they should have been doing all along to prevent exactly this sort of thing from happening.

But what’s not suggested as a fix is one of the more obvious solutions: move away from utilizing subpoenas and rely on warrants instead. This will prevent service providers stepping into the role of magistrate judge when receiving subpoenas to determine whether the request is legitimate and is properly supported by existing law. It also will make it more difficult for cybercriminals to do little more than send emails from compromised accounts to fraudulently obtain user information. While it’s not impossible to forge court orders and warrants, it’s a bit more difficult than only having to impersonate a single person or law enforcement entity when sending bogus paperwork to tech companies.

Of course, no law enforcement agency would be willing to make this switch even if it meant protecting thousands of innocent people from being victimized by cybercriminals. Whatever makes things easier for cops to get what they want also makes it easier for criminals to do the same thing. If nothing else, maybe a few law enforcement officials will realize the parallels this has to mandating weakened encryption or encryption backdoors: what works better for cops works better for criminals.