It ‘Felt Fishy’: Game Operator Rebuffed Fake Data Request

tech.hindustantimes.com:

The data request was in all caps and urgent: “EXIGENT CIRCUMSTANCE DISCLOSURE REQUEST IMPORTANT! PLEASE READ!” On March 13, the administrators of an online game marketed for children called Toontown Rewritten received an emergency request for user information that appeared to come from from a police captain in Bangladesh. 

“We have reasonable suspicion to believe multiple individuals have engaged, acted and perpetrated in child porn distribution, blackmail and terroristic bomb threats against high levels of Bangladesh officials and family,” wrote “Captain Samuel Ramsel” of the Bhaka Cyber Crime Division, in an email.

Joey Ziolkowski, a founder of Toontown Rewritten, said something “felt fishy.”

“The request seemed legit. The email was from an official Bangladesh police account and did not seem spoofed as far as our technical security team could tell,” he said on Twitter. “We pressed further to ask for credentials and a proper subpoena for the information.” 

Toontown’s volunteer staff determined that the request was bogus, a claim backed by Allison Nixon, chief research officer at the cybersecurity firm Unit 221b, who reviewed the correspondence. She said the same Bangladeshi email address has been used to send emergency legal requests to other companies. 

On Tuesday, Bloomberg News reported that Apple Inc., Alphabet Inc.’s Google, Meta Platforms Inc., Snap Inc, Twitter Inc. and Discord Inc. complied with fraudulent emergency data requests that were used in schemes to harass or sexually extort women, some of them minors. Law enforcement and cybersecurity experts consider the forged legal request sent from compromised law enforcement email addresses the newest tool used by hackers and online criminals to acquire personal