Doxers Posing as Cops Are Tricking Big Tech Firms into Sharing People's Data

Art of deception in full effect here. Kevin Mitnick would be proud.

> “This was an email address that looked like the real thing,” says Exempt, explaining the mechanics of how he tricked Charter Communications. “The real domain of the Jacksonville Sheriff’s Office in Florida is jaxsheriff.org. We purchased jaxsheriff.us and then spoofed our number as the department’s, so that when we called them to verify receipt of the legal process, when they searched the number, it would come back to the sheriff’s office, giving them no reason to doubt it. We use real badge numbers and officer names as well.”

I'm honestly impressed. It's an interesting situation where the companies can only verify the same information that the hackers have access to

This same kind of hack was mentioned in Mr. Robot nine years ago and it isn't fixed. https://www.theverge.com/2016/9/7/12835320/mr-robot-hack-rep... (Back then it was fax-based.) I'm not surprised but I am annoyed that we can't fix this.

Why this kind of thing doesn't require a judge to confirm the demand? And the judgement published publicly? (Or at least, on a government website that have specific access for TelCo/bigCo to read them)?

If we would have a way how to tell that request for data is coming from investigation and this request should be signed by a judge. Like a search warrant against an affidavit and tell cops to get lost until they will produce it?

For everyone else who's getting "You’ve read your last free article" like me:

https://archive.is/RltXf

> But officers can also make emergency data requests, or EDRs, in cases involving a threat of imminent harm or death. These requests typically bypass any additional verification steps by the companies who are under pressure to fulfill the request as quickly as possible.

How do companies decide which EDRs to fulfill and which ones require a judicial subpoena? Are companies ever even under the obligation to fulfill an EDR?

It's always the ISP. It has always been the ISP. The old hot thing was very similar. This no longer works and likely hasn't since 2016ish. But it was rampant starting in 2009.

You'd connect to a live chat (or phone call) and tell the customer support rep that it's your first day on the job and the man training you has a thick accent, making it very difficult to understand him. You then ask a hypothetical, e.g "If someone phones in asking for help with regaining access to their account, or setting up security questions, what tool do I open up?". You'd then get more specific with the hypotheticals, gradually. The only thing you cared about were the name of the tool and the steps to pull up an account by IP address. At the time, almost all ISPs had their own software suite. Verizon used something related to Coffee. I think it was just called Coffee tbh. Anyway, the goal is to get them to tell you both the name of the internal tool they use + the rough steps on how to pull up an account. Most of the time, via phone and sheer confidence, you would get the information you needed within two to three attempts. You could also take it a step further if you were bored and try to get screenshots from the rep of the software.

Edit: You'd also ask the rep for their employee identification number, if applicable. You'd then use that if you need to hard-sell it in the next call. It really didn't matter if the ID was valid, so long as it was the correct length/format. Yes, they would really just tell you. I do not know why.

After you had that information, you'd phone back, making sure you got separate rep. Depending on size of ISP, you may have had to call back after a shift change.

You inform them your regional servers are down and you're unable to connect. You could flush this out more if you had additional information on the ISPs tech. You then would go on to say "I have a customer on the line who's rightfully upset after their account was apparently accessed without authorization. The customer is saying they changed the PII on the account and they're unable to recover it." This gives you a shitty, but somewhat valid-ish excuse to pull the account up by IP. You'd then use the information attained from the first step to sell that you are indeed an employee. Name of the tool, input labels (roughly), steps needed, button names, etc. If the rep is remotely technical, hang up, try again. You'd then confirm the information on the account with the rep. It helped if you had some information about the person already, e.g first name or rough location.

Comcast was the worst offender. Charter second. Verizon was a bit more tough, but not by much. People started doing this as a first-step in targeted identity fraud, which got a lot more attention on it. Along with all the typical information (street address, postal code, state) you'd also almost always be able to get the last four of the social on the account + last 4 of any card on auto-pay.

If you're worried about this sort of thing, the best advice I can give you is to check with your ISP and see if they allow a verbal password that can be tied to your account. Anyone calling in for support or connecting to live chat would need to provide it before the account's accessed.

I'm not sure how relevant swatting is nowadays, but if you're at all in a position where you have concerns over it happening, it would be wise to phone your local police department and let them know there's a possibility this might happen. From what I remember, most of the time they ask for your cell number. In the event that this does happen, they will still send the full swat team to your residence. But they will phone your cell and ask you to come out prior to kicking down the door.

Source: was bored in when I was 15/16 and doxxed pedophiles.

Still not heard of people pretending ice, kidnapping then ransom. Strange?