Black Hat , Events , Fraud Management & Cybercrime
How Hackers Use Emergency Data Requests to Steal User Data
CyberCX's Jacob Larsen on Email Compromise, Doxing, Violence-as-a-Service AttacksLaw enforcement uses emergency data requests to obtain critical information from social media companies and service providers in situations when a subpoena cannot be obtained within time constraints. Adversaries are now manipulating that process to access sensitive data, including "user's full name, residential address, mobile number, and sometimes, message history and payment information," said Jacob Larsen, team lead of security testing and assurance at CyberCX.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
Adversaries hack the request process by compromising government emails and verifying their identity "on different social media platforms, law enforcement portals, or other aggregated platforms where they can submit their own request and then receive that information," Larsen said. "Service providers might discover later on that that request was fraudulent, but by that point it's too late."
Service providers should implement robust verification processes, such as creating an allow list of authorized government employees or introducing a segregation of duties requiring additional approval for data requests, Larsen said. Individuals should take an assumed breach approach to their personal security and secure their accounts with non-SMS-based MFA methods, including authenticator apps or physical tokens, he said.
In this video interview with Information Security Media Group at Black Hat 2024, Larsen also discussed:
- How adversaries use SIM swapping to intercept one-time passcodes;
- Legal loopholes that allow doxing platforms to continue operating;
- Physical threats associated with doxing, such as violence-as-a-service attacks.
Larsen leads a team of penetration testers to execute technical security assessments to secure customer applications and infrastructure. His expertise involves simulating cyberattacks to identify vulnerabilities within client systems and tracking initial access brokers, SIM swappers and doxers.