Wait.. What? Apple, Facebook Gave Users’ Data To Hackers? But Why?
According to three people Apple and Meta (parent company of Facebook), provided customer data to hackers who actually disguised as law enforcement officials.
“Fraudulent” Emergency Legal Requests
Information such as customer’s address, phone number and IP address were provided to these fake officials, in the mid-2021, when they seeked this information under the name of “emergency data requests.” According to these three, generally such information is only provided following a search warrant or subpoena signed by a judge. However, in case of emergency requests, a court order is not required.
A same thing happened with Snap, but it is not clear whether Snap provided them with the data in response. What is not clear is also how many times the companies provided data prompted by forged legal requests.
Some of these hackers sending such forged requests are actually minors who are located in the U.K. and the U.S., suspect the cybersecurity researchers.
A cybercrime group, named Lapsus$, is believed to be previously hack into the Microsoft Corp., Samsung Electronics Co. and Nvidia Corp. One of the minors is believed to be of this group. The probe for the same is ongoing and as many as 7 people have been arrested in connection with an investigation into the Lapsus$ hacking group.
Regarding this whole matter, Apple said that as per its law enforcement guidelines, the supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate”.
Meta spokesman Andy Stone said in a statement that “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
While there been no immediate comment by Snap on the scenario, a spokesperson said the company has safeguards in place to detect fraudulent requests from law enforcement. As a part of criminal investigations, law enforcement around the globe routinely asks social media platforms for information about users.
Such requests, in US, include a signed order from a judge. These emergency requests are to be used in cases of imminent danger and do not require a judge to sign on it.
According to the three people who are involved in the investigation, hackers who are affiliated with a cybercrime group known as “Recursion Team” are believed to be behind some of the forged legal requests.
The people said that though the Recursion Team is no longer active, some of its members are still active and use different names. This includes the Lapsus$ group.
According to those three, the information which is then obtained after such legal requests is used in order to enable the harassment campaigns. It may also be primarily used to facilitate financial fraud schemes as the information can be used to attempt the bypassing of account security.
In order to protect the identities of those targeted, Bloomberg is omitting some specific details of the events. These requests are a part of months-long campaign in which specifically many of the technology companies were targeted.
According to the three people and an additional person investigating the matter, these forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries.
According to them, the forged requests included the forged signatures of real or fictional law enforcement officers, in order to make believe that they are legitimate.
They said that hackers may have found legitimate legal requests and used them as a template to create forgeries.
Allison Nixon, chief research officer at the cyber firm Unit 221B said that “In every instance where these companies messed up, at the core of it there was a person trying to do the right thing. I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
Discord, in a statement to Bloomberg also confirmed that it also unknowingly confirmed a fraudulent legal request. To their defence, they said that they tried to find out the source of this request was true or not. Discord said that though they initially thought that the request was legitimate, it was later discovered that the request came from a malicious actor who posed as a legitimate law enforcement account. Post this, Discord has started an investigation into the matters.
As a part of compliance with respect to the emergency data requests, Apple as well as Meta both publish data. From a period of 6 months from July to December 2020, Apple received 1,162 emergency requests from 29 countries. Apple has provided data in response to 93% of those requests. Meta on the other hand has provided data to 71% of the total 21700 emergency requests which they had from January to June 2021 globally.
Meta stated on its website that “In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”
The Loophole
Jared Der-Yeghiayan, Director, Recorded Future Inc (a cybersecurity firm) confirmed that there is no one system or centralized system for submitting these things. He said that every agency handles them differently.
He said that even though Meta and Snap operate their own portals for law enforcement to send legal requests, they still accept the legal requests made via email.
According to Apple’s legal guidelines, the company accepts all the legal requests for user data at an apple.com email address, “provided it is transmitted from the official email address of the requesting agency”.
The login information of various email domains of law enforcement is available around the world on online criminal marketplaces.
Gene Yoo, CEO of the cybersecurity firm Resecurity, Inc said that “Dark web underground shops contain compromised email accounts of law enforcement agencies, which could be sold with the attached cookies and metadata for anywhere from $10 to $50”.
Last year as a result of previously unknown vulnerabilities in Microsoft Exchange email servers, multiple law enforcement agencies were targeted. This led to further intrusions.
Nixon, of Unit 221B said that the potential solution to the use of forged legal requests sent from hacked law enforcement email systems will be difficult to find. She said “The situation is very complex. Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”
Comments are closed, but trackbacks and pingbacks are open.