According to reports, tech giants provided data to hackers disguised as law enforcement officers.
Apple and Facebook’s parent company Meta were persuaded to give up customer data to hackers posing as law enforcement agents bearing phony “emergency data requests,”Bloomberg reported Wednesday that the information was sourced from three people familiar with it. The fraudulently obtained information allegedly included users’ phone numbers, IP addresses, and even physical addresses.
The hackers also attempted to con Snap, the parent company of Snapchat, into coughing up the same data, but it’s not clear if they were successful. Sources refused to reveal how many times these social media platforms were compelled to hand over the information to respond to fraudulent requests.
While such information is normally only provided in response to a subpoena or search warrant, both of which would require a judge’s signature, so-called “emergency requests” require nothing of the sort, making the hackers’ task surprisingly easy. According to cybersecurity experts, at least some hackers involved in the case are minors operating in the US or UK.
At least one of the minors is thought to be the leader of Lapsus$, a cybercrime ring which has previously hacked Microsoft, Samsung, and Nvidia, according to Bloomberg’s sources. In connection with Lapsus$, seven suspects were detained by London’s police.
Apple refers Bloomberg to section of enforcement guidelines to help explain why it is so eager to give customer data. “supervisor for the government or law enforcement agent who submitted the request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Meta maintained that all requests for data were reviewed by it “legal sufficiency”Supposed to be used “advanced systems and processes to validate law enforcement requests and detect abuse.”
Andy Stone, spokesperson for the company said it also blocks “known compromised accounts from making requests”In order to address the issue, he works closely with police officers “incidents involving suspected fraudulent requests, as we have done in this case.”
Snap refused to comment, except to state that they have safeguards in place for fraudulent data requests.
The social media firms are ultimately the victims of law enforcement’s lust for data, given how often such agencies request information from online platforms. Meta responds to 77% of all emergency requests while Apple offers data. Meta, however, provides data for 93%.
According to two sources, this scam was started around January 2021. It involved hackers targeting technology firms through hacked email addresses belonging to law enforcement authorities located across several countries. These domains were forged in an effort to look legit. Gene Yoo from cybersecurity firm Resecurity said that sometimes the signatures were stolen and could be found on dark-web marketplaces for $10.
Share this story via social media