Hackers pretending to be law enforcement tricked Apple and Meta into handing over user information last year, according to a Bloomberg report. The hackers faked emergency data request orders, which law enforcement agencies typically send to social media platforms. These emergency data requests don’t require court approval as a warrant or subpoena would.
According to Bloomberg, this mishap took place in the middle of last year. As a result, both Apple and Meta gave the hackers user information such as IP addresses, phone numbers, and home addresses.
Officials investigating the matter said that scam began in January 2021. Over the next several months, the hackers took over law enforcement accounts in multiple countries and targeted multiple companies with fake requests.
Fake Emergency Requests Becoming More Common
When law enforcement officials investigate crimes they often ask social media platforms for information that might assist their investigation.
Usually, these requests require a subpoena or a warrant signed by a judge. Emergency data requests, which are issued in extreme circumstances, like life-threatening situations, do not require the same. According to Krebs on Security, fake emergency data requests are becoming very common.
To send a fake request, the threat actor first needs access to official police department email systems. Once the actor has access, they can easily make up a hypothetical emergency and send across a data request to a social media platform. This way they can get their hands on information that can be misused for other malicious activity, like phishing attacks.
Krebs added that some cybercriminals are selling official government email credentials online. In fact, one such advertisement specifically states that the email can be used to subpoena companies and direct them to hand over user data.
Hacker Group ‘Recursion Team’ Possibly Behind the Scam
Krebs believes that the hacking group called Recursion Team is behind the scams against Apple and Meta. The hackers also sent Snap fake data requests. However, it is unclear if Snap handed over any information.
Interestingly, both Bloomberg and Krebs reported that the criminal group Lapsus$ also carries out a similar kind of scam. The group has targeted several high-profile tech companies in 2022. In fact, it was recently revealed that several members of the group are teenagers.
To top it all off, several Lapsus$ members were previously a part of the Recursion Team. It’s believed that since Recursion Team disbanded last year, some of its former members joined Lapsus$ under new names.
Statements from Apple and Meta
In an email statement to The Verge, Meta’s policy and comms director, Andy Stone, said the company studies every request to ensure it complies with the law and also maintains a record of compromised law enforcement accounts.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Stone said. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Apple, on the other hand, pointed The Verge to its law enforcement guidelines, which read as follows:
“If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
If you found this story interesting, we recommend checking out our article on protecting yourself from social engineering attacks.