It was ‘Felt Fishy’: Gambling operator rejected fake data request
The request for data was in all caps and urgent: “REQUIRED CIRCUMSTANCE DISCLOSURE REQUEST IMPORTANT! PLEASE READ!”
The request for data was in all caps and urgent: “REQUIRED CIRCUMSTANCE DISCLOSURE REQUEST IMPORTANT! PLEASE READ!” On March 13, the administrators of an online children’s game called Toontown Rewritten received an urgent request for user information that appeared to be from a police captain in Bangladesh.
“We have reasonable suspicions to believe that several individuals engaged, acted and perpetrated in the distribution of child pornography, blackmail and terrorist bomb threats against senior officials and their families in Bangladesh,” wrote the “Captain Samuel Ramsel” from Bhaka’s Cybercrime Division, in an email.
Joey Ziolkowski, one of the founders of Toontown Rewritten, said something “shady.”
“The request seemed legitimate. The email was from an official Bangladesh Police account and did not appear to be forged as far as our technical security team could tell,” he said on Twitter. “We insisted further on asking for credentials and a proper subpoena for the information.”
Toontown’s volunteer staff determined the claim to be false, a claim supported by Allison Nixon, head of research at cybersecurity firm Unit 221b, who reviewed the correspondence. She said the same Bangladeshi email address had been used to send emergency legal requests to other companies.
On Tuesday, Bloomberg News reported that Apple Inc., Alphabet Inc.’s Google, Meta Platforms Inc., Snap Inc., Twitter Inc. and Discord Inc. complied with fraudulent emergency data requests that were used in schemes to sexually harass or extort women. , including some minors. Law enforcement and cybersecurity experts consider forged legal request sent from compromised law enforcement email addresses to be the newest tool used by hackers and criminals in online to acquire personal information for personal attacks.
“I can’t believe whoever finally broke that silence publicly is ‘Toontown Rewrite,'” Nixon said, noting that most tech companies who were duped “treated this as a shameful affair to keep top secret”.
“They did what no big tech company could do and wrote a public notice full of actionable information with the entire bogus emergency data request,” she said.
The request appears to be from a hacker who compromised the messaging system of Dhaka Metropolitan Police, which operates in Bangladesh’s capital and most populous city, according to Toontown Rewritten and a cybersecurity expert. The email contained an obvious clue: Dhaka was misspelled.
The Dhaka Cybercrime Division in Bangladesh did not respond to a request for comment. It could not be determined if Captain Samuel Ramsel is a real person.
The author of the email did not respond to a request for comment.
The usernames and passwords of Bangladeshi police officials – including some from the Dhaka Metropolitan Police – were put up for sale on dark web marketplaces shortly before the email was sent to Toontown, Gene Yoo, chief executive of cybersecurity firm Resecurity, who observed credentials for sale. “The price ranges from anywhere from $27 to $30.”
The email writer was persistent, writing multiple times over the course of a week after Toontown staff pushed back. The targeted account belongs to someone believed to be an adult outside of the United States, Ziolkowski said.
“This specific user has created an emergency situation and the citizens of Bangladesh are under undue stress,” the author wrote. “Just send us all the information you can and because it’s confidential, we want it kept between law enforcement officials and Toontown Rewritten support staff only.”
The volunteer staff, who are based around the world and have a post office box in Washington state, replied that they would only respond to the request if it was sent by a US authority. After that, the author of the emails stopped corresponding. Toontown volunteers shared information about the fake request with investigators from the Department of Homeland Security, who investigated the practice of fraudulent requests for emergency data.
A Homeland Security representative did not immediately respond to a request for comment.
Forged legal requests designed to acquire personal information are a growing problem, according to several law enforcement officials. As a result, big tech companies are working on new ways to verify legal demand, the people said.
“Fraudulent EDRs shatter trust in the legitimate legal process and perpetuate a long-standing communication gap between the public and private sectors,” said Matt Donahue, founder of Kodex, which makes software that helps businesses manage claims. legal. “This disruption has a significant impact on user security and data privacy, slowing responses to legitimate life-and-death situations.”