- FBI issues Private Industry Notification on emergency data requests
- Hackers are using stolen .gov email addresses to pose as authorities
- Mitigations recommended by the FBI should be put in place
Cybercriminals are using stolen government email addresses to submit fraudulent emergency data requests to US companies to steal personally identifying information (PII) of customers, which could be used for nefarious purposes such as phishing and identity theft, experts have warned.
This attack vector has grown in popularity since August 2023, warranting the issue of a Private Industry Notification from the FBI.
The Bureau has also issued a list of mitigation measures for businesses to put in place to keep personal data safe and ensure that only authentic data requests are processed.
Fraudulent requests on the rise
Over the last year, the FBI has logged a significant uptick in forum posts from cybercriminals relating to fraudulent data requests. The trend stemmed from one user stating that for $100, they could teach people to use data requests to obtain information on any social media account. Shortly thereafter, another user discovered that by using a ‘.gov’ email address, they could pose as the authorities and obtain much more detailed information to use for phishing.
Fraudulent data requests gradually became more advanced and more threatening, with one user posting in December 2023 that they included the threat of harm or death to an individual if the data request was not processed and approved.
Shortly following this in March 2024, another known cyber criminal submitted a Mutual Legal Assistance Treaty (MLAT) to PayPal. The MLAT used details from a child trafficking investigation, including case number and legal code to appear legitimate, however PayPal declined the MLAT.
In August 2024, a cybercriminal listed “High Quality .gov emails for espionage/social engineering/data extortion/Dada requests, etc” for sale that could be used for fraudulent data access requests to obtain private customer information including names, email addresses, phone numbers, and other personal information.
The FBI recommends that businesses double check the security posture of any connections between 3rd parties they interact with and their own systems, as well as external or remote connections.
Businesses should also be wary of emergency data requests that highlight the urgency of the requests, and check all the details within the request for inconsistencies or doctoring. The full list of mitigations can be found here.
You might also like
Services Marketplace – Listings, Bookings & Reviews