Apple, Meta Fooled! Hackers Pose as Fake Law Enforcement to Steal User Data

Apple
The Apple logo is seen on the outside of Bill Graham Civic Auditorium before the start of an event in San Francisco, California on September 7, 2016. JOSH EDELSON/AFP via Getty Images

Apple and Meta, Facebook's parent company, became the victims of hackers last year when the perpetrators guised as law enforcement personnel, issued "emergency data requests," and acquired user data.

On Thursday, three people familiar with the issue said that the two tech giants handed over subscriber details, including customers' home addresses and phone numbers, to imposters. The suspects allegedly forged the legal requests and submitted them sometime in mid-2021. It is not yet clear just how much information was given to the hackers.

Hackers Attack Apple, Meta

While Apple officials refused to comment on the issue, they pointed to the company's Law Enforcement Guidelines, which states, "If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agency who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate."

Krebs on Security, a cybersecurity blog, explained the details of the new hacking method in a blog post earlier this week. It noted that law enforcement officials typically have to present tech firms with a court-ordered warrant or subpoena when requesting user information. However, emergency data requests (EDRs) do not share this requirement because they could be a matter of life or death, as per Fox Business.

During an attack using fake EDRs, hackers first gain access to a police department's email systems. They can then forge an emergency data request that describes the potential danger of not having the data they requested immediately while posing to be law enforcement officials.

Krebs on Security said that some hackers are putting access to government emails online for sale with the sole purpose of targeting social platforms using fake EDRs. The cybersecurity blog noted that the majority of bad actors that conduct these crimes are teenagers.

According to The Verge, cybersecurity researchers also believe that the teen mastermind behind the Lapsus$ hacking group is potentially involved in this type of scam. London police have arrested seven teens since the cyber attack. The Lapsus$ incident included the hacking of Microsoft Corp., Samsung Electronics Co., and Nvidia Corp., among others.

Forged Legal Requests

In a statement, Meta spokesman Andy Stone said that the company reviews every data request for legal sufficiency and uses advanced systems and processes to validate law enforcement requests and detect abuse. He added that Meta blocks known compromised accounts from making requests and continues to work with law enforcement to respond to incidents involving suspected fraudulent requests.

Similarly, Snap Inc., a camera company, received forged legal requests from the same hackers that attacked Apple and Meta. However, it was not clear whether or not the company provided data in response. It did not have an immediate comment on the case but a company spokesperson said they had safeguards in place to detect fraudulent requests from law enforcement.

Hackers from a cybercrime group known to call themselves "Recursion Team" are believed to be responsible for some of the forged legal requests that were sent to several companies throughout 2021, Bloomberg reported.


Related Article:

Russia Accuses Meta of 'Extremist Activity,' Bans Facebook, Instagram Except WhatsApp

Tags
Apple, Facebook
Real Time Analytics