FBI: Rise in crooks stealing data using government emails • The Register

<!doctype html> <html lang="en"> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <title>FBI: Rise in crooks stealing data using government emails • The Register</title> <meta name="robots" content="max-snippet:-1, max-image-preview:standard, max-video-preview:0"> <meta name="viewport" content="initial-scale=1.0, width=device-width"/> <meta property="og:image" content="https://regmedia.co.uk/2024/08/02/data_shutterstock.jpg"/> <meta property="og:type" content="article" /> <meta property="og:url" content="https://www.theregister.com/2024/11/11/fraudulent_edr_emails/" /> <meta property="og:title" content="FBI: Rise in crooks stealing data using government emails" /> <meta property="og:description" content="Just because it's .gov doesn't mean that email is trustworthy" /> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@TheRegister"> <script type="application/ld+json"> { "@context":"http://schema.org", "@type":"NewsArticle", "mainEntityOfPage":{"@type":"WebPage","@id":"https://www.theregister.com/2024/11/11/fraudulent_edr_emails/"}, "headline":"FBI issues warning as crooks ramp up emergency data request scams", "datePublished":"2024-11-11T16:23:12Z", "dateModified":"2024-11-11T14:53:36Z", "image":{"@type":"ImageObject","url":"https://regmedia.co.uk/2024/08/02/data_shutterstock.jpg","width":"1000","height":"532"}, "author":{"@type":"Person","name":"Connor Jones"}, "publisher":{"@type":"Organization","name":"The Register","url":"https://www.theregister.com/","logo":{"@type":"ImageObject","url":"https://www.theregister.com/design_picker/1fea2ae01c5036112a295123c3cc9c56eb28836a/graphics/std/red_logo_sans_strapline.png","width":330,"height":55}} } </script> <script> var RegZoot = { }; var RegCC = [ ]; var RegPageType = 'Story'; var RegTruePageType = 'www story'; </script> <link rel="canonical" href="https://www.theregister.com/2024/11/11/fraudulent_edr_emails/"> <link rel="amphtml" href="https://www.theregister.com/AMP/2024/11/11/fraudulent_edr_emails/"> <script src="/Design/javascript/html5shiv.min.js"></script> <script> // IE8 only polyfilly for eventListener // source: https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener#Compatibility !function(){if(Event.prototype.preventDefault||(Event.prototype.preventDefault=function(){this.returnValue=!1}),Event.prototype.stopPropagation||(Event.prototype.stopPropagation=function(){this.cancelBubble=!0}),!Element.prototype.addEventListener){var e=[],t=function(t,n){var o=this,r=function(e){e.target=e.srcElement,e.currentTarget=o,void 0!==n.handleEvent?n.handleEvent(e):n.call(o,e)};if("DOMContentLoaded"==t){var a=function(e){"complete"==document.readyState&&r(e)};if(document.attachEvent("onreadystatechange",a),e.push({object:this,type:t,listener:n,wrapper:a}),"complete"==document.readyState){var p=new Event;p.srcElement=window,a(p)}}else this.attachEvent("on"+t,r),e.push({object:this,type:t,listener:n,wrapper:r})},n=function(t,n){for(var o=0;o<e.length;){var r=e[o];if(r.object==this&&r.type==t&&r.listener==n){"DOMContentLoaded"==t?this.detachEvent("onreadystatechange",r.wrapper):this.detachEvent("on"+t,r.wrapper),e.splice(o,1);break}++o}};Element.prototype.addEventListener=t,Element.prototype.removeEventListener=n,HTMLDocument&&(HTMLDocument.prototype.addEventListener=t,HTMLDocument.prototype.removeEventListener=n),Window&&(Window.prototype.addEventListener=t,Window.prototype.removeEventListener=n)}}(); document.attachEvent("onreadystatechange", function() { if (document.readyState === "complete") { // list of icons we want <= IE8 to replace with their png equivalents var svg_icons_png_equiv = [ // masthead icons (twitter + facebook are also shared for footer): 'reg_logo.svg', 'twitter.svg', 'facebook.svg', 'linkedin.svg', // navigation bar icons: 'vulture.svg', 'vulture_white.svg', 'search.svg', 'search_white.svg', // footer icons: 'sitpub_footer.svg', 'linkedin_white.svg', 'rss.svg', // lectures section icons: 'reglecture_logo.svg', // story template icons: 'reddit.svg', 'linkedin_alt.svg', 'linkedin.svg', 'calendar.svg', 'location.svg', 'rect_comment_bubble_white.svg', 'rect_comment_bubble_black.svg', 'envelope.svg', 'polls_unit_arrow.svg' ]; for (i = 0; i <= svg_icons_png_equiv.length - 1; i++) { var svg_icon = svg_icons_png_equiv[i]; var img_svg_icons = $('img[src$="' + svg_icon + '"]'); img_svg_icons.each(function() { $(this).attr('src', $(this).attr('src').replace('.svg','.png')); }); } var ad_params = { src: 'https://regmedia.co.uk/2018/06/15/gg2b_book.png', href: 'https://forms.theregister.com/gg2b/?td=iaomwtkie78' }; bird_alternative('ad_wp_top', ad_params); } }); </script> <script> var RegArticle={id:237191,pf:0,af:0,bms:0,sec:'security/cyber_crime',cat:'update_me',ec:[],kw:[["cybercrime",'Cybercrime'],["cybersecurity",'Cybersecurity'],["data breach",'Data Breach'],["fbi",'FBI']],kwp:[["security",'Security'],["united states department of justice",'United States Department of Justice']],short_url:'https://reg.cx/4f0x',cp:0,noads:[],author:'Connor Jones'} </script> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/scaffolding.css"> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/design.css"> <style> #nav-security, #nav-security-cyber_crime { text-decoration: underline !important; } </style> <link rel='stylesheet' type='text/css' href='/css/e5c206ed408f082870465a2c478e657ff0db3937/story_only.css'> <link rel=stylesheet type="text/css" href="/css/e5c206ed408f082870465a2c478e657ff0db3937/rows_basic.css"> <link rel=alternate type="application/atom+xml" href="/headlines.atom" title="The Register: whole site"> <link rel=alternate type="application/atom+xml" href="/security/cyber_crime/headlines.atom" title="The Register: Cyber-crime section"> <script> var RegCR = false; </script> <script src="/design_picker/14513432720673f1c1ee02761ba265b674b7bee1/javascript/_.js"></script> <script> RegGPT('reg_security/cybercrime','0df13fad2ea597c71ae99fa84c3f976d','0df13fad2ea597c71ae99fa84c3f976d'); </script> <script async src="https://www.googletagmanager.com/gtag/js"></script> <link rel=search href="https://search.theregister.com/"> <link rel=search type="application/opensearchdescription+xml" title="El Reg Search" href="/Design/page/search.osd"> <link rel="icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.ico" sizes="any"> <link rel="icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.svg" type="image/svg+xml"> <link rel="apple-touch-icon" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/apple-touch-icon.png"> <link rel="manifest" href="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/site.webmanifest"> <meta name="msapplication-TileColor" content="#ff0000"> <meta name="msapplication-config" content="/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/browserconfig.xml"> <meta name="theme-color" content="#ff0000"> <script src="/Design/javascript/respond.min.js"></script> </head> <body class="fullwidth" data-pagetype='Story' data-iebrowser='7' data-pagenum="0"> <div id="page"> <div data-oop="1" data-pos="top" data-raptor="kite" aria-hidden="true" class="adun"></div> <div id="masthead"> <div class="los_amigos"> <div class="left_nav"> <a id="mob_user_link" href="https://account.theregister.com/register/" aria-label="Your Account"> <img class="account_icon" width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_extents.svg" alt=""> <img class="filled_icon" width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_white_filled_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/user_icon_filled_white_extents.svg" alt=""> <span id="mob_user_text"><span>Sign in / up</span></span> </a> </div> <div class="center_nav"> <a href="https://www.theregister.com/" id="logo"> <img src="/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/std/reg_logo_no_strapline.png" srcset="/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/std/reg_logo_no_strapline.svg" width="190" height="35" alt="The Register® — Biting the hand that feeds IT"> </a> </div> <div class="right_nav"> <a href="https://search.theregister.com/" class="nav_search topnav_elem" data-name="Search" aria-label="Search"> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/magnifying_glass_white_extents_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/std/magnifying_glass_white_extents.svg" alt=""> </a> <div id="site_nav_mobile"> <noscript><div id="site_nav_mobile_hiding_stamp"></div></noscript> <button id="mobile_menu_toggle" aria-label="Open menu" type="button"> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_extents.svg" alt=""> <img width="16" height="16" src="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_close_16x16.png" srcset="/design_picker/ae01b183a707a7db8cd5f2c947715ed56d335138/graphics/icon/burger_menu_white_close_extents.svg" alt=""> </button> </div> </div> </div> <div id="top_panel_wrapper"> <div id="top_panel"> <div class="block_section nav"> <div class="nav_col first_col"> <div class="nav_top_group"> <div class="nav_topics"> <div class="nav_head_bk"> <h2 class="main_head">Topics</h2> </div> <div> <nav> <div class="nav_elem"> <div class="cat_header"> <div id="nav-security"> <a href="#subnav-box-nav-security" data-toggle-for="subnav-box-nav-security" class="topnav_elem mob_only">Security</a> <h2 class="desk_only section_nav-security"> <a href="#subnav-box-nav-security" data-toggle-for="subnav-box-nav-security" class="topnav_elem desk_only">Security</a> </h2> </div> </div><div id="subnav-box-nav-security" class="subnav_box"><a href="https://www.theregister.com/security/" class="subnav_elem" id="nav-security-all"><span class="prefix_all">All </span>Security</a><a href="https://www.theregister.com/security/cyber_crime/" class="subnav_elem" id="nav-security-cyber_crime">Cyber-crime</a><a href="https://www.theregister.com/security/patches/" class="subnav_elem" id="nav-security-patches">Patches</a><a href="https://www.theregister.com/security/research/" class="subnav_elem" id="nav-security-research">Research</a><a href="https://www.theregister.com/security/cso/" class="subnav_elem" id="nav-security-cso">CSO</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-off_prem"> <a href="#subnav-box-nav-off_prem" data-toggle-for="subnav-box-nav-off_prem" class="topnav_elem mob_only">Off-Prem</a> <h2 class="desk_only section_nav-off_prem"> <a href="#subnav-box-nav-off_prem" data-toggle-for="subnav-box-nav-off_prem" class="topnav_elem desk_only">Off-Prem</a> </h2> </div> </div><div id="subnav-box-nav-off_prem" class="subnav_box"><a href="https://www.theregister.com/off_prem/" class="subnav_elem" id="nav-off_prem-all"><span class="prefix_all">All </span>Off-Prem</a><a href="https://www.theregister.com/off_prem/edge_iot/" class="subnav_elem" id="nav-off_prem-edge_iot">Edge + IoT</a><a href="https://www.theregister.com/off_prem/channel/" class="subnav_elem" id="nav-off_prem-channel">Channel</a><a href="https://www.theregister.com/off_prem/paas_iaas/" class="subnav_elem" id="nav-off_prem-paas_iaas">PaaS + IaaS</a><a href="https://www.theregister.com/off_prem/saas/" class="subnav_elem" id="nav-off_prem-saas">SaaS</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-on_prem"> <a href="#subnav-box-nav-on_prem" data-toggle-for="subnav-box-nav-on_prem" class="topnav_elem mob_only">On-Prem</a> <h2 class="desk_only section_nav-on_prem"> <a href="#subnav-box-nav-on_prem" data-toggle-for="subnav-box-nav-on_prem" class="topnav_elem desk_only">On-Prem</a> </h2> </div> </div><div id="subnav-box-nav-on_prem" class="subnav_box"><a href="https://www.theregister.com/on_prem/" class="subnav_elem" id="nav-on_prem-all"><span class="prefix_all">All </span>On-Prem</a><a href="https://www.theregister.com/on_prem/systems/" class="subnav_elem" id="nav-on_prem-systems">Systems</a><a href="https://www.theregister.com/on_prem/storage/" class="subnav_elem" id="nav-on_prem-storage">Storage</a><a href="https://www.theregister.com/on_prem/networks/" class="subnav_elem" id="nav-on_prem-networks">Networks</a><a href="https://www.theregister.com/on_prem/hpc/" class="subnav_elem" id="nav-on_prem-hpc">HPC</a><a href="https://www.theregister.com/on_prem/personal_tech/" class="subnav_elem" id="nav-on_prem-personal_tech">Personal Tech</a><a href="https://www.theregister.com/on_prem/cxo/" class="subnav_elem" id="nav-on_prem-cxo">CxO</a><a href="https://www.theregister.com/on_prem/public_sector/" class="subnav_elem" id="nav-on_prem-public_sector">Public Sector</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-software"> <a href="#subnav-box-nav-software" data-toggle-for="subnav-box-nav-software" class="topnav_elem mob_only">Software</a> <h2 class="desk_only section_nav-software"> <a href="#subnav-box-nav-software" data-toggle-for="subnav-box-nav-software" class="topnav_elem desk_only">Software</a> </h2> </div> </div><div id="subnav-box-nav-software" class="subnav_box"><a href="https://www.theregister.com/software/" class="subnav_elem" id="nav-software-all"><span class="prefix_all">All </span>Software</a><a href="https://www.theregister.com/software/ai_ml/" class="subnav_elem" id="nav-software-ai_ml">AI + ML</a><a href="https://www.theregister.com/software/applications/" class="subnav_elem" id="nav-software-applications">Applications</a><a href="https://www.theregister.com/software/databases/" class="subnav_elem" id="nav-software-databases">Databases</a><a href="https://www.theregister.com/software/devops/" class="subnav_elem" id="nav-software-devops">DevOps</a><a href="https://www.theregister.com/software/oses/" class="subnav_elem" id="nav-software-oses">OSes</a><a href="https://www.theregister.com/software/virtualization/" class="subnav_elem" id="nav-software-virtualization">Virtualization</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div><div class="nav_elem"> <div class="cat_header"> <div id="nav-offbeat"> <a href="#subnav-box-nav-offbeat" data-toggle-for="subnav-box-nav-offbeat" class="topnav_elem mob_only">Offbeat</a> <h2 class="desk_only section_nav-offbeat"> <a href="#subnav-box-nav-offbeat" data-toggle-for="subnav-box-nav-offbeat" class="topnav_elem desk_only">Offbeat</a> </h2> </div> </div><div id="subnav-box-nav-offbeat" class="subnav_box"><a href="https://www.theregister.com/offbeat/" class="subnav_elem" id="nav-offbeat-all"><span class="prefix_all">All </span>Offbeat</a><a href="https://www.theregister.com/Debates/" class="subnav_elem" id="nav-offbeat-debates">Debates</a><a href="https://www.theregister.com/offbeat/columnists/" class="subnav_elem" id="nav-offbeat-columnists">Columnists</a><a href="https://www.theregister.com/offbeat/science/" class="subnav_elem" id="nav-offbeat-science">Science</a><a href="https://www.theregister.com/offbeat/geeks_guide/" class="subnav_elem" id="nav-offbeat-geeks_guide">Geek's Guide</a><a href="https://www.theregister.com/offbeat/bofh/" class="subnav_elem" id="nav-offbeat-bofh">BOFH</a><a href="https://www.theregister.com/offbeat/legal/" class="subnav_elem" id="nav-offbeat-legal">Legal</a><a href="https://www.theregister.com/offbeat/bootnotes/" class="subnav_elem" id="nav-offbeat-bootnotes">Bootnotes</a><a href="https://www.theregister.com/offbeat/site_news/" class="subnav_elem" id="nav-offbeat-site_news">Site News</a><a href="https://www.theregister.com/offbeat/about_us/" class="subnav_elem" id="nav-offbeat-about_us">About Us</a> <noscript><a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a></noscript> </div> </div> </nav> </div> </div> </div> <div class="nav_bottom_group"> <div class="nav_bottom_section nav_special_features"> <div class="nav_head_bk"> <a href="#subnav-box-nav-special_features" data-toggle-for="subnav-box-nav-special_features" id="nav-special_features" class="topnav_elem mob_only">Special Features</a> <h2 class="main_head"> <span class="topnav_elem desk_only">Special Features</span> </h2> </div> <nav> <div class="nav_elem"> <div id="subnav-box-nav-special_features" class="subnav_box"> <a href="https://www.theregister.com/special_features">All Special Features</a> <a href="https://www.theregister.com/special_features/cybersecurity_month">Cybersecurity Month</a> <a href="https://www.theregister.com/special_features/vmware_explore">VMware Explore</a> <a href="https://www.theregister.com/special_features/blackhat_and_defcon">Blackhat and DEF CON</a> <a href="https://www.theregister.com/special_features/cloud_infrastructure_month">Cloud Infrastructure Month</a> <a href="https://www.theregister.com/special_features/malware_month">Malware Month</a> <a href="https://www.theregister.com/special_features/the_reg_in_space">The Reg in Space</a> <a href="https://www.theregister.com/special_features/spotlight_on_rsa">Spotlight on RSA</a> </div> </div> </nav> </div> <div class="nav_bottom_section nav_elem nav_vendor_voice"> <div class="nav_head_bk"> <h2 class="main_head"> <span class="topnav_elem desk_only">Vendor Voice</span> </h2> </div> <nav> <div class="nav_elem"> <div class="cat_header"> <div id="nav-tag-vendor-voice"> <a href="#subnav-box-nav-tag-vendor-voice" data-toggle-for="subnav-box-nav-tag-vendor-voice" class="topnav_elem mob_only">Vendor Voice</a> <h2 class="desk_only section_nav-tag-vendor-voice"> <a href="#subnav-box-nav-tag-vendor-voice" data-toggle-for="subnav-box-nav-tag-vendor-voice" class="topnav_elem desk_only">Vendor Voice</a> </h2> </div> </div> <div id="subnav-box-nav-tag-vendor-voice" class="subnav_box"> <a href="https://www.theregister.com/VendorVoice/" class="subnav_elem" id="nav-tag-vendor-voice-all"> <span class="prefix_all">All </span>Vendor Voice </a> <a href="https://www.theregister.com/VendorVoice/aws_here/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_here"> HERE and AWS </a> <a href="https://www.theregister.com/VendorVoice/aws_vonage/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_vonage"> Vonage </a> <a href="https://www.theregister.com/VendorVoice/aws_amdocs/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_amdocs"> Amdocs </a> <a href="https://www.theregister.com/VendorVoice/aws_ge_vernova_manufacturing/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_ge_vernova_manufacturing"> GE Vernova with AWS </a> <a href="https://www.theregister.com/VendorVoice/aws_ge_vernova/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_ge_vernova"> GE Vernova with AWS </a> <a href="https://www.theregister.com/VendorVoice/siemens_aws/" class="subnav_elem" id="nav-tag-vendor-voice-vv_siemens_aws"> Siemens and AWS Gen AI </a> <a href="https://www.theregister.com/VendorVoice/siemens_aws_itot/" class="subnav_elem" id="nav-tag-vendor-voice-vv_siemens_aws_itot"> Siemens and AWS IT/OT </a> <a href="https://www.theregister.com/VendorVoice/aws_new_horizon_solutions/" class="subnav_elem" id="nav-tag-vendor-voice-vv_aws_new_horizon_solutions"> Amazon Web Services (AWS) New Horizon in Cloud Computing </a> <a href="https://www.theregister.com/VendorVoice/ddn/" class="subnav_elem" id="nav-tag-vendor-voice-vv_ddn"> DDN </a> <a href="https://www.theregister.com/VendorVoice/google_cloud_data_transformation/" class="subnav_elem" id="nav-tag-vendor-voice-vv_google_cloud_data_transformation"> Google Cloud Data Transformation </a> <a href="https://www.theregister.com/VendorVoice/google_gemini/" class="subnav_elem" id="nav-tag-vendor-voice-vv_google_gemini"> Google Gemini </a> <a href="https://www.theregister.com/VendorVoice/hpe_greenlake/" class="subnav_elem" id="nav-tag-vendor-voice-vv_hpe_greenlake"> Hewlett Packard Enterprise: Edge-to-Cloud Platform </a> <a href="https://www.theregister.com/VendorVoice/intelvpro/" class="subnav_elem" id="nav-tag-vendor-voice-vv_intelvpro"> Intel vPro </a> <a href="https://www.theregister.com/VendorVoice/vmware/" class="subnav_elem" id="nav-tag-vendor-voice-vv_vmware"> VMware </a> <noscript> <a href="#masthead" class="subnav_elem close_box" aria-label="Top navigation">(X)</a> </noscript> </div> </div> </nav> </div> <div class="nav_bottom_section nav_resources"> <div class="nav_head_bk"> <a href="#subnav-box-nav-resources" data-toggle-for="subnav-box-nav-resources" id="nav-resources" class="topnav_elem mob_only">Resources</a> <h2 class="main_head"> <span class="topnav_elem desk_only">Resources</span> </h2> </div> <nav id="top_nav"> <div class="nav_elem"> <div id="subnav-box-nav-resources" class="subnav_box"> <a href="https://whitepapers.theregister.com/">Whitepapers</a> <a href="https://whitepapers.theregister.com/events/list/">Webinars & Events</a> <a href="https://account.theregister.com/edit/newsletter/">Newsletters</a> </div> </div> </nav> </div> </div> </div> </div> </div> </div> </div> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="condor" data-xmd=",fluid,leaderboard," data-lg=",fluid,leaderboard," data-xlg=",fluid,superleaderboard,billboard,leaderboard," data-xxlg=",fluid,superleaderboard,billboard,brandwidth,leaderboard,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> </noscript> </div> <article> <div id=top-col-story> <div class="header_left"> <div class="cat_header"> <h4 class="dcl"> <a href="/security/cyber_crime/" aria-label="Cyber-crime">Cyber-crime</a> </h4> </div> <div class="comments_wrap mobile_only"> <a class="comment_count" aria-label="Read comments on this article, currently there are 12 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/11/11/fraudulent_edr_emails/"> <strong aria-hidden="true">12</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> </a> </div> </div> <div class="header_right"> <h1>FBI issues warning as crooks ramp up emergency data request scams</h1> </div> <div class="header_left"> <div class="comments_wrap desktop_only"> <a class="comment_count" aria-label="Read comments on this article, currently there are 12 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/11/11/fraudulent_edr_emails/"> <strong aria-hidden="true">12</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> </a> </div> </div> <div class="header_right"> <h2>Just because it's .gov doesn't mean that email is trustworthy</h2> <div class="byline_and_dateline_and_share_and_comments"> <div class="byline_wrap"> <img class="vulture_icon" src="/design_picker/d518b499f8a6e2c65d4d8c49aca8299d54b03012/graphics/icon/vulture_red.svg" alt="icon"> <a class="byline" href="/Author/Connor-Jones" title="Read more by this author"> Connor Jones </a> </div> <div class="dateline_wrap"> <span class="dateline"> Mon 11 Nov 2024 <span class="slashes"> // </span> 16:23 UTC </span> </div> </div> </div> </div> <div id=main-col> <div id="article-wrapper" class="article_wrap"> <div class="left_col"> <div class="floating_bar"> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_2"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams&url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams&summary=Just%20because%20it%27s%20.gov%20doesn%27t%20mean%20that%20email%20is%20trustworthy" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> <div class="promo_advert"> </div> </div> <div class="centre_col"> <div id="article"> <div id="body"> <p>Cybercrooks abusing emergency data requests in the US isn't new, but the FBI says it's becoming a more pronounced issue as the year draws to a close.</p> <p>The uptick in abuse was first registered in August, and the FBI recently issued a Private Industry Notification as an increasing number of US businesses and law enforcement agencies are served fraudulent requests.</p> <p>Emergency data requests (EDRs) exist in the US as a legal mechanism through which law enforcement agencies can obtain the necessary information from service providers during – you guessed it – an emergency.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="condor" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> </noscript> </div> <p>Usually, these requests would require a subpoena to fulfill, but the provision allows data such as who owns a specific website or phone number to be handed over to authorities in an expedited manner where needed.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="falcon" data-xmd=",fluid,mpu,leaderboard," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <div class="adun_eagle_desktop_story_wrapper"> <div aria-hidden="true" class="adun" data-pos="mid" data-raptor="eagle" data-xxlg=",mpu,dmpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> </div> <p>A spotlight on EDRs was <a target="_blank" href="https://www.theregister.com/2022/04/02/in_brief_security/">shone in 2022</a> after infosec journo Brian Krebs reported a rise in their abuse. The FBI's latest warning claims that throughout 2023 and 2024, there has been a steady rise in the number of underground forum posts claiming to coach people on how to steal data through fraudulent EDRs for as little as $100. </p> <p>That data could then be used for other criminal enterprises, such as extortion, social engineering, or simply to sell it to other crooks.</p> <div aria-hidden="true" class="adun" data-pos="top" data-raptor="falcon" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <p>Criminals complete these requests by using compromised email addresses belonging to US and foreign governments. They send US businesses seemingly legitimate requests coming from a genuine public sector email address, and receive unvetted responses containing swathes of personally identifiable information (PII).</p> <p>The FBI said the technique was used heavily by the likes of <a target="_blank" href="https://www.theregister.com/2023/12/21/lapsus_teens_sentenced/">Lapsus$</a> back in its heyday, and the number of tutorials on how to pull it off surfacing on cybercrime forums has grown, leading many more to adopt it.</p> <p>The main purpose of the notification is to raise awareness among US businesses about how to prevent account compromises – consisting of the oft-repeated, basic cybersecurity advice – rather than how to spot a fraudulent EDR specifically.</p> <div aria-hidden="true" class="adun" id="story_eagle_xsm_sm_md_xmd_lg_xlg" data-pos="mid" data-raptor="eagle" data-xsm=",mpu,dmpu," data-sm=",mpu,dmpu," data-md=",mpu,dmpu," data-xmd=",mpu,dmpu," data-lg=",mpu,dmpu," data-xlg=",mpu,dmpu,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> </noscript> </div> <p>Regarding the latter point, the FBI recommends that organizations develop a close relationship with their local FBI field office as one step towards mitigating the possibility that PII is handed over to the wrong people.</p> <p>"Through these partnerships, FBI can assist with identifying vulnerabilities and mitigating potential threat activity," the <a target="_blank" href="https://www.ic3.gov/CSA/2024/241104.pdf" rel="nofollow">notice</a> [PDF] reads. "FBI further recommends organizations review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.</p> <p>"The cybersecurity landscape is ever-evolving, and cyber threats are becoming increasingly sophisticated. Organizations need to stay ahead of the curve using proactive approaches to mitigate risks."</p> <p>Submitting a fraudulent EDR doesn't guarantee a PII-packed response, it should be said. They are not successful in every case.</p> <p>Per the feds' notice, PayPal was served a fake Mutual Legal Assistance Treaty (MLAT) notice in March, which is typically used when two or more countries want to collaborate and share data to support criminal investigations.</p> <p>The specific case saw the criminals behind the request reference a local investigation into child trafficking, including a genuine case number and legal code, but PayPal didn't fulfill the request for reasons unknown.</p> <ul class="listinks"> <li><a href="https://www.theregister.com/2024/11/11/bitcoin_fog_sentencing/">Dark web crypto laundering kingpin sentenced to 12.5 years in prison</a></li> <li><a href="https://www.theregister.com/2024/11/11/infosec_in_brief/">Alleged Snowflake attacker gets busted by Canadians – politely, we assume</a></li> <li><a href="https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/">Scattered Spider, BlackCat claw their way back from criminal underground</a></li> <li><a href="https://www.theregister.com/2024/11/08/winos40_targets_windows/">Winos4.0 abuses gaming apps to infect, control Windows machines</a></li> </ul> <p>Checking the validity of the legal code is another move private sector companies receiving an EDR can make to ensure they're not giving up personal data to unauthorized people.</p> <p>The FBI recommends adopting critical thinking whenever an EDR is sent their way, and the need to understand the common tactics used by criminals to hurry along the process.</p> <p>"Cybercriminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request," the notice reads. "FBI recommends reviewers pay close attention to doctored images such as signatures or logos applied to the document.</p> <p>"In addition, FBI recommends looking at the legal codes referenced in the emergency data request, as they should match what would be expected from the originating authority. For example, if this request is coming from a country outside of the United States, it should not appear to be copied and pasted language from the US Title Code. Similarly, a foreign country's law enforcement would not be attaching a US subpoena.</p> <p>"If suspicion and the need for validation arises, the FBI recommends contacting the sender and originating authority to discuss the request further."</p> <p>Ahead of his Black Hat talk earlier this year, Jacob Larsen, threat researcher and offensive security lead at CyberCX, <a target="_blank" href="https://www.theregister.com/2024/08/12/mega_money_and_unfathomable_violence/">told</a> <em>The Register</em> that EDRs are "still in common use."</p> <p>"Whilst they were previously reserved for sophisticated threat actors and the cost of submitting fraudulent EDRs was prohibitive ($5k+ per request), my research uncovered threat actors selling fraudulent EDRs for as low as $500 for three platform requests," he said. </p> <p>"It's being used by all types of cybercriminals with various objectives now; the barrier to entry is much lower."</p> <p>Larsen added that EDRs are often used to supplement the data records stolen through other means such as <a target="_blank" href="https://www.theregister.com/2024/11/07/fake_copyright_email_malware/">infostealers</a>, <a target="_blank" href="https://www.theregister.com/2023/03/10/fbi_netwire_seizure/">remote access trojans</a> (RATs), and <a target="_blank" href="https://www.theregister.com/2024/09/29/interview_with_a_social_engineering/">social engineering</a> techniques. ®</p> <div class="wptl btm"> <noscript><strong>Get our</strong> <a href="https://whitepapers.theregister.com/" style="text-transform:uppercase">Tech Resources</a></noscript> </div> </div> <div class="article_body_btm mobile_only"> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> <span>Share</span> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_3"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams&url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams&summary=Just%20because%20it%27s%20.gov%20doesn%27t%20mean%20that%20email%20is%20trustworthy" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> </div> </div> <div class="right_col desktop_only"> <div class="similar_topics"> <div class="similar_topics"> <h4>More about</h4> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Data%20Breach/" > <span class="keyword_name"> Data Breach </span> </a> </li> </ul> </div> <div class="keyword_wrap" style="display: none;"> <div class="keyword_trigger">More like these</div> </div> <div class="lightbox_overlay"> <div class="keyword_popup more_topics"> <div class="close">×</div> <div class="keyword_group similar_topics"> <h3>More about</h3> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Data%20Breach/" > <span class="keyword_name"> Data Breach </span> </a> </li> <li> <a href="/Tag/FBI/" > <span class="keyword_name"> FBI </span> </a> </li> </ul> </div> <div class="keyword_group child_topics"> <h3>Narrower topics</h3> <ul class="keywords"> <li> <a href="/Tag/NCSC/" > <span class="keyword_name"> NCSC </span> </a> </li> <li> <a href="/Tag/RSA%20Conference/" > <span class="keyword_name"> RSA Conference </span> </a> </li> <li> <a href="/Tag/Zero%20trust/" > <span class="keyword_name"> Zero trust </span> </a> </li> </ul> </div> <div class="keyword_group parent_topics"> <h3>Broader topics</h3> <ul class="keywords"> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> <li> <a href="/Tag/United%20States%20Department%20of%20Justice/" > <span class="keyword_name"> United States Department of Justice </span> </a> </li> </ul> </div> </div> </div> </div> </div> <div class="right_col mobile_only"> <div class="similar_topics"> <h4>More about</h4> </div> </div> <div class="left_col main_content"> <div class="sharing_block"> <div class=article_body_btm> <div class="sharing_widget_story_desktop uses_overlay"> <button class="top_blob" aria-label="Share this story" title="Share this story"> <img width="25" height="25" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icons/social_share_icon.svg" alt=""> <span>Share</span> </button> <div class="sharing_widget_overlay" id="sharing_widget_overlay_4"> <div class="sharing_box"> <a data-social="reddit" href="https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams" target="_blank"> </a> <a data-social="twitter" class="twit" href="https://twitter.com/intent/tweet?text=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams&url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister" target="_blank"> </a> <a data-social="facebook" class="faceb_dialog" href="https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook" target="_blank"> </a> <br class="hide_after_sm"> <a data-social="linkedin" class="linkedin_social" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=FBI%20issues%20warning%20as%20crooks%20ramp%20up%20emergency%20data%20request%20scams&summary=Just%20because%20it%27s%20.gov%20doesn%27t%20mean%20that%20email%20is%20trustworthy" target="_blank"> </a> <a data-social="whatsapp" href="https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/11/fraudulent_edr_emails/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp" target="_blank"> </a> </div> </div> </div> </div> </div> </div> <div class="centre_col main_content"> <div class="comments "> <a class="comment_count" aria-label="Read comments on this article, currently there are 12 comments" title="View comments on this article" href="https://forums.theregister.com/forum/all/2024/11/11/fraudulent_edr_emails/"> <strong aria-hidden="true">12</strong> <img aria-hidden="true" width="18" height="16" alt="comment bubble on white" src="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.png" srcset="/design_picker/f5daacc84b9722c1e31ba85f836c37e4ad993fc4/graphics/icons/bubble_comment_white.svg"> COMMENTS </a> </div> </div> <div class="hidden_col mobile_only"> <div class="similar_topics"> <h4>More about</h4> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Data%20Breach/" > <span class="keyword_name"> Data Breach </span> </a> </li> </ul> </div> <div class="keyword_wrap" style="display: none;"> <div class="keyword_trigger">More like these</div> </div> <div class="lightbox_overlay"> <div class="keyword_popup more_topics"> <div class="close">×</div> <div class="keyword_group similar_topics"> <h3>More about</h3> <ul class="keywords"> <li> <a href="/Tag/Cybercrime/" > <span class="keyword_name"> Cybercrime </span> </a> </li> <li> <a href="/Tag/Cybersecurity/" > <span class="keyword_name"> Cybersecurity </span> </a> </li> <li> <a href="/Tag/Data%20Breach/" > <span class="keyword_name"> Data Breach </span> </a> </li> <li> <a href="/Tag/FBI/" > <span class="keyword_name"> FBI </span> </a> </li> </ul> </div> <div class="keyword_group child_topics"> <h3>Narrower topics</h3> <ul class="keywords"> <li> <a href="/Tag/NCSC/" > <span class="keyword_name"> NCSC </span> </a> </li> <li> <a href="/Tag/RSA%20Conference/" > <span class="keyword_name"> RSA Conference </span> </a> </li> <li> <a href="/Tag/Zero%20trust/" > <span class="keyword_name"> Zero trust </span> </a> </li> </ul> </div> <div class="keyword_group parent_topics"> <h3>Broader topics</h3> <ul class="keywords"> <li> <a href="/Tag/Security/" > <span class="keyword_name"> Security </span> </a> </li> <li> <a href="/Tag/United%20States%20Department%20of%20Justice/" > <span class="keyword_name"> United States Department of Justice </span> </a> </li> </ul> </div> </div> </div> </div> <div class="right_col main_content"> <div class="tip_off_widget"> <h4>TIP US OFF</h4> <p><a href="https://www.theregister.com/Profile/contact/" target="_blank">Send us news</a></p> </div> </div> </div> </div> </article> <hr id=story_section_break> <div id=story-bot-col> <h3 style="position:absolute;color:transparent;z-index:-1;">Other stories you might like</h3> <div id="aua" data-unit-type="aua" class="keepreading"> <div class=headlines> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/14/cybercriminal_devoid_of_boundaries_gets/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Cybercriminal devoid of boundaries gets 10-year prison sentence</h4> <div class=standfirst>Serial extortionist of medical facilities stooped to cavernous lows in search of small payouts</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="14 Nov 2024 20:27" data-epoch="1731616029">14 Nov 2024</span> | <span class="comment light_bg_comments">6</span></div> </div> </a> </article> <article> <a href="/2024/11/19/us_drinking_water_systems_cybersecurity/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>America's drinking water systems have a hard-to-swallow cybersecurity problem</h4> <div class=standfirst>More than 100M rely on gear rife with vulnerabilities, says EPA OIG</div> <div class=time_comments> <span class="section_name">Public Sector</span><span class="time_stamp" title="19 Nov 2024 19:59" data-epoch="1732046345">19 Nov 2024</span> | <span class="comment light_bg_comments">18</span></div> </div> </a> </article> <article> <a href="/2024/11/14/smartrite_breach/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Kids' shoemaker Start-Rite trips over security again, spilling customer card info</h4> <div class=standfirst> <span class="label">Updated</span> Full details exposed, putting shoppers at serious risk of fraud</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="14 Nov 2024 11:57" data-epoch="1731585466">14 Nov 2024</span> | <span class="comment light_bg_comments">14</span></div> </div> </a> </article> <article> <a href="/2024/09/05/quantum_computing_is_coming_are/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Quantum computing is coming – are you ready?</h4> <div class=standfirst>Are you prepared for the day that quantum computing breaks today’s encryption?</div> <div class=time_comments><span class="section_name">Sponsored Feature</span></div> </div> </a> </article> </div> <div aria-hidden="true" class="adun" data-pos="btm" data-raptor="hawk" data-xsm=",fluid,mpu," data-sm=",fluid,mpu," data-md=",fluid,mpu," data-xmd=",fluid,leaderboard,mpu," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,mpu,leaderboard,"> <noscript> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=6&c=66Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D6%26raptor%3Dhawk%26pos%3Dbtm%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=6&c=66Z0Lw_dJudNbAEDmQc2wxFgAAAAs&t=ct%3Dns%26unitnum%3D6%26raptor%3Dhawk%26pos%3Dbtm%26test%3D0" alt=""> </a> </noscript> </div> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/06/microlise_cyberattack/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Cyberattackers stole Microlise staff data following DHL, Serco disruption</h4> <div class=standfirst>Experts say incident has 'all the hallmarks of ransomware'</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="6 Nov 2024 12:6" data-epoch="1730894788">6 Nov 2024</span> | <span class="comment light_bg_comments">5</span></div> </div> </a> </article> <article> <a href="/2024/11/19/ilearningengines_bec_scam/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Crook breaks into AI biz, points $250K wire payment at their own account</h4> <div class=standfirst>Fastidious attacker then tidied up email trail behind them</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="19 Nov 2024 12:31" data-epoch="1732019473">19 Nov 2024</span> | <span class="comment light_bg_comments">12</span></div> </div> </a> </article> <article> <a href="/2024/11/14/salt_typhoon_hacked_multiple_telecom/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign'</h4> <div class=standfirst> <span class="label">Updated</span> Feds don't name Salt Typhoon, but describe Beijing band's alleged deeds</div> <div class=time_comments> <span class="section_name">Research</span><span class="time_stamp" title="14 Nov 2024 1:54" data-epoch="1731549251">14 Nov 2024</span> | <span class="comment light_bg_comments">5</span></div> </div> </a> </article> <article> <a href="/2024/11/19/palo_alto_networks_patches/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Palo Alto Networks tackles firewall-busting zero-days with critical patches</h4> <div class=standfirst>Amazing that these two bugs got into a production appliance, say researchers</div> <div class=time_comments> <span class="section_name">Patches</span><span class="time_stamp" title="19 Nov 2024 15:29" data-epoch="1732030152">19 Nov 2024</span> | <span class="comment light_bg_comments">4</span></div> </div> </a> </article> </div> <div class="img_lite_srow img_lite_rt-1b"> <article> <a href="/2024/11/15/anniemac_data_breach/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Keyboard robbers steal 171K customers' data from AnnieMac mortgage house</h4> <div class=standfirst>Names and social security numbers of folks looking for the biggest loan of their lives exposed</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="15 Nov 2024 19:22" data-epoch="1731698529">15 Nov 2024</span> | <span class="comment light_bg_comments">6</span></div> </div> </a> </article> <article> <a href="/2024/11/13/embargo_ransomware_breach_aap/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Ransomware fiends boast they've stolen 1.4TB from US pharmacy network</h4> <div class=standfirst>American Associated Pharmacies yet to officially confirm infection</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="13 Nov 2024 19:10" data-epoch="1731525013">13 Nov 2024</span> | <span class="comment light_bg_comments">1</span></div> </div> </a> </article> <article> <a href="/2024/11/11/bitcoin_fog_sentencing/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Dark web crypto laundering kingpin sentenced to 12.5 years in prison</h4> <div class=standfirst>Prosecutors hand Russo-Swede a half-billion bill</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="11 Nov 2024 12:38" data-epoch="1731328692">11 Nov 2024</span> | <span class="comment light_bg_comments">24</span></div> </div> </a> </article> <article> <a href="/2024/11/21/scattered_spider_suspects/?td=keepreading" class=story_link> <div class="article_text_elements"> <h4>Five Scattered Spider suspects indicted for phishing spree and crypto heists</h4> <div class=standfirst>DoJ also shutters allleged crimeware and credit card mart PopeyeTools</div> <div class=time_comments> <span class="section_name">Cyber-crime</span><span class="time_stamp" title="21 Nov 2024 1:29" data-epoch="1732152553">21 Nov 2024</span> | <span class="comment light_bg_comments">3</span></div> </div> </a> </article> </div> </div> <div aria-hidden="true" class="adun" data-pos="btm" data-raptor="owl" data-xsm=",fluid,mpu,dmpu," data-sm=",fluid,mpu,dmpu," data-md=",fluid,mpu,dmpu," data-xmd=",fluid,leaderboard,mpu," data-lg=",fluid,mpu,leaderboard," data-xlg=",fluid,billboard,superleaderboard,mpu,leaderboard," data-xxlg=",fluid,billboard,superleaderboard,brandwidth,brandimpact,mpu,leaderboard,"></div> </div> </div><div id=footer> <div class="footer_slogan"> <div class="footer_wrapper"> <p>The Register <img class="vulture_icon" src="/design_picker/d518b499f8a6e2c65d4d8c49aca8299d54b03012/graphics/icon/vulture_white.png" alt="icon"> Biting the hand that feeds IT</p> </div> </div> <div class="footer_wrapper"> <div class=foot_wrapper> <div class="left_block"> <div class="foot_list"> <h4>About Us<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.theregister.com/Profile/contact/">Contact us</a></li> <li><a target=_blank rel=noopener href="https://www.theregister.com/AdvertiseWithUs/">Advertise with us</a></li> <li><a href="https://www.theregister.com/Profile/about_the_register/">Who we are</a></li> </ul> </div> <div class="foot_list more_us"> <h4>Our Websites<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.nextplatform.com/">The Next Platform</a></li> <li><a href="https://devclass.com/">DevClass</a></li> <li><a href="https://blocksandfiles.com/">Blocks and Files</a></li> </ul> </div> <div class="foot_list privacy"> <h4>Your Privacy<img loading="lazy" width="7" height="11" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/footer_mob_nav_arrow_black.svg" class="expand_arrow"></h4> <ul> <li><a href="https://www.theregister.com/Profile/cookies/">Cookies Policy</a></li> <li><a href="https://www.theregister.com/Profile/privacy/">Privacy Policy</a></li> <li><a href="https://www.theregister.com/Profile/terms_and_conditions_of_use/">Ts & Cs</a></li> </ul> </div> </div> <div class="right_block"> <div class="foot_list"> <a href="https://situationpublishing.com/" id="sitpub_logo"> <img loading="lazy" width="250" alt="Situation Publishing" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/std/sitpublogo_2022.png"> </a> <p> Copyright. All rights reserved © 1998–2024 </p> </div> </div> <noscript><img width="1" height="1" src="/Design/graphics/std/transparent_pixel.png" alt="no-js"></noscript> </div> </div> </div> <div id=end_scripts> <script> if (typeof(ElReg.Ga.sendPageView) === 'function') { ElReg.Ga.sendPageView('reg_security/cybercrime','0df13fad2ea597c71ae99fa84c3f976d','0df13fad2ea597c71ae99fa84c3f976d'); } </script> <script> $(function() { RegUtils.set_bucket_group(290) }); </script> </div> </div> </body> </html>

CINXE.COM

FBI: Rise in crooks stealing data using government emails • The Register