Offering a genuine FBI email account for sale at $40 available
In a concerning development, active email accounts belonging to law enforcement agencies and government bodies in the US, UK, Brazil, Germany, and India are being sold on dark web marketplaces for as little as $40. These accounts, confirmed to be live and not spoofed or dormant, have been compromised by miscreants who can pose as government officials and police to commit further crimes.
The digital thieves obtain these login details primarily through credential stuffing, infostealer malware, and targeted phishing/social engineering attacks. Credential stuffing exploits password reuse, where attackers use leaked credentials from other breaches to access government email accounts if the same passwords are reused. Infostealer malware is malicious software designed to extract saved login credentials directly from browsers and email clients on infected devices. Targeted phishing and social engineering involve crafting deceptive emails or messages that trick government employees into revealing their login details or clicking on malicious links/installing malware.
Advanced phishing campaigns using app-specific passwords and keyloggers are also employed by some state-sponsored groups. In these cases, attackers trick targets into sharing 16-digit app-specific passwords, enabling access to accounts despite multifactor authentication. Keyloggers capture keystrokes, including passwords, while remote access trojans (RATs) allow attackers to control infected devices remotely, activate keyloggers, and extract credentials over time.
These methods often avoid directly penetrating sophisticated government systems by exploiting human and technical vulnerabilities instead. The compromised accounts are then sold or used for fraudulent activities like sending fake subpoenas, accessing sensitive information via emergency requests, or impersonating officials. The reliance on trusted government email domains also helps attackers bypass security filters, making phishing and malware delivery more effective.
In the US, there is a legal mechanism called emergency data requests (EDRs) through which law enforcement agencies can obtain information from service providers during an emergency. However, the US Communications Assistance for Law Enforcement Act (CALEA) requires telecoms and internet companies to comply with wiretapping requests from law enforcement, and having a legitimate .gov or .police email account would make it easier for criminals to obtain these surveillance records.
Some criminal marketplaces even sell access to law enforcement portals on platforms such as META, TikTok, Twitter/X for additional data retrieval requests. As these incidents highlight, it is crucial for individuals and organisations to prioritise cybersecurity measures to protect against such threats.
[1] Kharif, I., & Berger, J. (2020, July 29). How Criminals Are Using Stolen Government Email Accounts. Bloomberg.com. https://www.bloomberg.com/news/articles/2020-07-29/how-criminals-are-using-stolen-government-email-accounts
[2] Kharif, I., Berger, J., & Woo, Y. (2020, November 16). Hackers Sell Active FBI Email Accounts on Dark Web. Bloomberg.com. https://www.bloomberg.com/news/articles/2020-11-16/hackers-sell-active-fbi-email-accounts-on-dark-web
[3] Cybersecurity and Infrastructure Security Agency. (2020). APT29: Tactics, Techniques, and Procedures. Cisa.gov. https://www.cisa.gov/uscert/ncas/alerts/aa20-317a
[4] Cybersecurity and Infrastructure Security Agency. (2020). Keylogger Malware. Cisa.gov. https://www.cisa.gov/uscert/ncas/tips/t1544
- The selling of active email accounts associated with law enforcement agencies and government bodies is a growing concern on dark web marketplaces, which can potentially aid cybercriminals in committing further crimes by posing as officials.
- The security of databases containing login details for these email accounts is crucial, as they are often compromised through credential stuffing, infostealer malware, targeted phishing/social engineering attacks, and advanced phishing campaigns that employ keyloggers and remote access trojans.
- In response to this threat, it is essential for individuals and organizations to prioritize cybersecurity measures to protect against such risks, and for government bodies to invest in AI technology for cybersecurity surveillance and mitigation.
- It's concerning that telecom and internet companies may be required to disclose surveillance records and sensitive data to criminal entities who possess legitimate government email accounts on platforms such as META, TikTok, Twitter/X, which can compromise privacy and security.
- General-news outlets like Bloomberg have reported on these incidents, emphasizing the importance of cybersecurity awareness and education in the increasingly connected world of IoT devices and telecom services, as well as the importance of maintaining cybersecurity standards in the crime-and-justice sector to uphold law enforcement objectives.
