April 1, 2022 at
A report by Bloomberg has revealed that Meta and Apple unknowingly handed their user data to hackers thinking they were law enforcement.
According to Bloomberg, the error occurred in mid-2021as both firms fell for the fake requests and sent information about the users’ home addresses, IP addresses, and phone numbers to the hackers.
It’s not unusual for law enforcement to request data from social media platforms as part of investigations. This gives them access to the social media accounts of the user being watched or investigated. While these requests require a search warrant or a subpoena signed by a judge, noting of such is required for emergency data requests. These types of requests are made by law enforcement in very serious and life-threatening situations.
A Surge In Bogus Emergency Data Request
Threat actors and cybercriminals are always looking for avenues to strike and gain vital data to sell to the darknet or blackmail the victims into paying a ransom. But bogus emergency data requests are becoming increasingly common among threat actors. According to Krebs on Security, the attackers usually start by gaining access to the email systems of a law enforcement agency.
Once they access the system, they can forge a data request that places utmost urgency and describes the danger of delays when sending the data. The message is communicated to the targeted company while taking the position of law enforcement. This makes it look very genuine since the targeted firm believes the email is coming from a genuine
Apart from plotting to gain access to the email accounts of security agencies, the attackers are also sourcing for email accounts on the darknet.
Krebs noted that some threat actors are selling access to government emails online to enable threat actors to target social platforms with fake emergency data requests.
The Attacks Are Common With Teenagers
The report also stated that these types of attacks are most commonly carried out by teenagers. Bloomberg added that cybersecurity researchers believe the teenagers behind the Lapsus$ hacking syndicate could be involved in this type of scam. It’s not clear whether the group has other recruits after London police apprehended seven teens in connection to the group.
However, the members of a threat group known as the Recursion Team could be responsible for last year’s string attack, the report noted. While the group is no longer functioning, some of its members
Officials the investigated the incident stated that threat actors accessed the accounts of law enforcement agencies in different countries and targeted several companies for several months from January last year.
Meta’s policy and communications director, Andy Stone, stated that every data was reviewed for legal sufficiency. In addition, the team used advanced processes and systems for the validation of law enforcement requests to detect abuse. He added that the security team of the company blocked compromised accounts from making requests and collaborates with law enforcement to deal with incidents involving fraudulent requests.
The Threat Actors Succeeded Despite Apple’s Show Of Diligence
Apple, on the other hand, pointed at its law enforcement guidelines when asked for comments about the situation.
The guideline noted that the company sully contacts a supervisor with the law enforcement agency or governed requesting information about customer data. The company added that it carries out due diligence before assenting to a request from government agencies or law enforcement regarding the data of its users.
A supervisor is always contacted to verify whether the data request is actually genuine and coming from the original law enforcement. Apple’s response shows that it did actual diligence before releasing the data. But despite the due diligence, the threat actors were able to deceive the two firms. This shows the level of plan the threat actors made to cover all loopholes that would have exposed them.
Other Companies Have Been Targeted Before
It should be noted that Apple and Meta are not the only firms that have become victims of fake emergency data requests. Threat actors have also contacted Snap with fake requests, according to Bloomberg. However, it is not whether the company shared its customers’ data following the request. Snap did not respond to requests for comments about the situation. Also, Discord confirmed that it was deceived into sharing users’ data after receiving a fake request for emergency customer data from threat actors.