- Cybercriminals have created a fraudulent account on the application for applying Google law
- No user data has been accessible, but the violation raises concerns concerning the defects of the Google approval process
- The group behind the incident, dispersed of $ Lapsus hunters, is linked to major recent data violations and has become “dark” shortly before publishing screenshot
Cybercriminals have managed to obtain their own account on the Google Law Enforcement request System (LERS), confirmed the media search engines earlier this week.
Recently, the actors of the threat passing through “Hunters of scattered lapsus” published a new screenshot in their telegram channel, showing an automated confirmation email of Google.
“Google has created a new law application system account (LERS),” said screenshot.
Disabled the account
LERS is a secure online portal that Google specifically provides for verified law enforcement agencies. Thanks to it, the police may submit user data requests, such as assignments, judicial orders or search mandates. Thanks to this system, authorized agents can download documents, monitor their requests and download sensitive data.
To access LERS, you must be pre-approved by Google. The simple fact of having an email address of an agency will not be enough – they must be added to the approved list of Google, which raises the question – how did the criminals do it? Either Google’s approval system is imperfect, or crooks have managed to pretend to be the staff of the police.
Once the news broke, Bleeping Compompute contacted both Google and FBI, and while the latter refused to comment, Google confirmed cybercriminals:
“We have identified that a fraudulent account was created in our system for law application and have disabled the account,” Google told publication. “No request was made with this fraudulent account, and no data has been accessible.”
The dispersed slip hunters are a threat player created after three groups – scattered spider, $ and shinyhuters – merged into one. The group is suspected of being at the origin of some of the largest data violations this year, including the Drift AI / Salesloft incident which affected dozens of large technological companies.
A few days before publishing this screenshot, the group announced that it “was going to be dark”, which some threat actors interpreted as a sign of fear concerning the imminent consequences of recent attacks.
Via Bleeping Compompute
