Apple Inc and Meta Platforms Inc, the parent company of Facebook, provided customer data to hackers masquerading as law enforcement officials, according to three people familiar with the matter.
Apple and Meta provided basic subscriber details, such as the customer’s address, phone number, and IP address, in mid-2021 in response to fraudulent “emergency data requests”. Normally, these requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, emergency requests do not require a court order.
Snap Inc received a fraudulent legal request from the same hackers, but it is not known if the company provided the data in response. It is also not clear how often the companies have provided the data requested by the fraudulent legal requests.
Cybersecurity researchers suspect that some of the hackers sending the fraudulent requests are minors located in the United Kingdom and the United States One of the minors is also believed to be the mastermind behind cyber crime group Lapsus$, which hacked Microsoft Corp, Samsung Electronics Co and Nvidia Corp. Among other things, people said. The City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group; Investigation is underway.
An Apple representative referred Bloomberg News to a section of the law enforcement guidance.
The guidelines cited by Apple state that the government supervisor or law enforcement agent who made the request may be contacted and asked to confirm to Apple that the emergency request was legitimate, according to Apple’s guidelines.
“We review each data request for legal adequacy and use advanced systems and processes to validate law enforcement requests and detect violations,” Meta spokesman Andy Stone said in a statement. “We block known compromised accounts from submitting requests and are working with law enforcement to respond to incidents of suspected fraudulent requests, as we did in this case.”
Snap had no immediate comment on the case, but a company spokesperson said the company has safeguards in place to detect fraudulent requests from law enforcement.
Law enforcement around the world routinely requests information about users from social media platforms as part of criminal investigations. In the United States, these requests typically include an order signed by a judge. Emergency orders are intended to be used in situations of imminent danger and do not require a judge to sign them.
Hackers affiliated with a cybercrime group known as the “Recovery Team” are believed to be behind some of the fraudulent legal requests, which were sent to the companies throughout 2021, according to the three people involved in the investigation.
People said that the Recursion team is no longer active, but that several of its members continue to carry out hacks under various names, including as part of $Lapsus.
Information obtained by hackers using forged legal requests was used to enable harassment campaigns, according to one of the people familiar with the investigation. The three people said it may be used primarily to facilitate financial fraud schemes. By knowing the victim’s information, hackers can use it to help try to bypass account security.
Bloomberg ignores some of the specific details of the events in order to protect the identities of the targets.
The fraudulent legal requests are part of a months-long campaign targeting several tech companies that began in January 2021, according to two people. The fraudulent legal requests are believed to be sent via compromised email domains belonging to law enforcement agencies in multiple countries, according to the three people and an additional person investigating the matter.
Fake applications were made to appear legitimate. In some cases, the documents included forged signatures of real or fictitious law enforcement officers, according to two of the people. By infiltrating law enforcement email systems, hackers may have found legitimate legal requests and used them as a template to create fraud, according to one of the people.
“In every case these companies got it wrong, there was someone trying to do the right thing in the core,” said Alison Nixon, chief research officer of Unit 221B electronics. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to respond quickly to a tragic unfolding user situation.”
On Tuesday, Krebs On Security reported that hackers forged an emergency data request to get information from social media platform Discord. In a statement to Bloomberg, Discord confirmed that it also fulfilled a fraudulent legal request.
“We are verifying these requests by verifying that they came from a genuine source and have done so in this case,” Discord said in a statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been hacked by a malicious actor. We have since conducted an investigation into this illegal activity and reported the hacked email account to law enforcement.”
Both Apple and Meta release data about their compliance with emergency data requests. From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests.
Meta said it received 21,700 emergency requests from January to June 2021 globally and provided some data in response to 77% of the requests.
On its website, Meta states: “In emergency situations, law enforcement may submit requests without legal process.” “Depending on the circumstances, we may voluntarily disclose information to law enforcement when we have good faith reason to believe that there is an imminent risk of serious bodily injury or death.”
Data request systems from companies are a mixture of different email addresses and company portals. Fulfilling legal requests can be complicated because there are tens of thousands of different law enforcement agencies, from small police departments to federal agencies, around the world. Different jurisdictions have different laws regarding the request and release of user data.
Jared Der-Yeghiayan, principal at cybersecurity firm Recorded Future Inc., said: And a former cyber program leader at the Department of Homeland Security: “There is no single system or central system for delivering these things.” “Every agency deals with it differently.”
Der-Yeghiayan said companies like Meta and Snap operate their own law enforcement portals to send legal requests, but still accept requests by email and monitor requests 24 hours a day.
Apple accepts legal requests for user data to an apple.com email address, “provided it is sent from the requesting agency’s official email address,” in accordance with Apple’s legal guidelines.
Assigning email domains to law enforcement around the world is in some cases relatively simple, since the login information for these accounts is available for sale in online criminal marketplaces.
Jin Yu, CEO of cybersecurity firm Resecurity, Inc.
Yu said several law enforcement agencies were targeted last year as a result of previously unknown vulnerabilities in Microsoft Exchange email servers, “leading to more intrusions.”
Nixon, of Unit 221B, said it would be difficult to find a potential solution to the use of fraudulent legal requests sent from compromised law enforcement email systems.
“The situation is very complicated,” she said. “Fixing it is not as simple as shutting down the data flow. There are many factors we have to consider beyond just maximizing privacy.”
.
[ad_2]