Search

Security Advisory : FBI Notice Spike in Compromised Government Emails Conducting Fake EDRs 

RGSA 11-21-24 

Date: November, 21, 2024 

 

INTRODUCTION 

In early November, the Federal Bureau of Investigation (FBI) issued a warning regarding the abuse of compromised email accounts from U.S. and foreign government entities. These compromised accounts are being exploited to execute fraudulent Emergency Data Requests (EDRs) aimed at U.S.-based service providers.  

WHAT IS AN EDR? 

An EDR is a legal mechanism enabling U.S. law enforcement agencies to urgently request confidential data from service providers without a subpoena. Threat actors would take advantage of the procedure by using compromised government email addresses to submit fraudulent EDRs and obtain customer data. 

For example, Verizon disclosed that it received over 127,000 law enforcement requests for customer data during the second half of 2023, with more than 36,000 classified as EDRs. The company reported fulfilling approximately 90% of these requests. 

HOW DO THREAT ACTORS EXECUTE THESE SCHEMES? 

Investigations into cybercrime forums reveal multiple methods used by threat actors to submit fraudulent EDRs. Some fake EDR vendors sell the capability to generate fake EDRs by targeting specific platforms, complete with counterfeit court documents. Other fake EDR vendors simply sell access to compromised government or law enforcement email accounts. 

Key tactics used to compromise government or law enforcement email accounts include: 

  1. Phishing and malware campaigns targeting email users. 
  1. Purchase of stolen credentials from dark web marketplaces. 
  1. Exploitation of poor cyber practices among government employees. 

A person speaking to an audience

KEY LESSONS 

The notice serves as a reminder of the dangers posed by the sophistication of scams threat actors can orchestrate once they have access to compromised credentials.  

To mitigate risks, organizations and individuals must prioritize cybersecurity hygiene: 

  1. Establish a procedure on handling sensitive emails to avoid getting phished; approach urgent emails or emails with attachments with caution.  
  1. Employ unique and strong passwords for every account and use multi-factor authentication when possible. Data breaches happen often, and threat actors like to take the compromised credentials from these breaches to re-use on other websites.  

HOW CAN RICHTER GUARDIAN HELP YOU? 

Richter Guardian can aid in improving your cyber hygiene so that you can lessen the risk of being compromised. 

  1. Consult our cyber concierge if you are in a situation you are unsure of. For example, receiving a suspicious email that requires your immediate attention – we can verify its legitimacy.  
  1. We can walk you through best password management practices by walking you through 1Password, a password management tool.