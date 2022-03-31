Apple Inc and Meta provided their customer data to hackers who pretended to be enforcement officials, according to three people with knowledge of this matter, reported Bloomberg.

As per the report, both Apple and Meta provided their basic subscriber details such as the customer's address, phone number, IP address in mid-2021 in response to the forged "emergency data requests".

According to people such demands are usually provided with a search warrant or subpoena signed by a judge. However, emergency requests don't require a court order.

The report mentioned that the same hackers sent a forged legal request to Snap Inc, but it's unclear whether the company has provided the data in response. It's also unclear that hoe many times the company has provided data in response to forged legal requests.

Also read | How a group of student photographers from India caught Apple CEO Tim Cook's attention

Cybersecurity experts suspect that some the hackers sending these forged requests are minors located in the UK and the US, one of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$ which earlier hacked Microsoft Corp.,

Samsung Electronics Co., and Nvidia Corp., among others the people said. Seven people were recently arrested by City of London Police in connection with an investigation into the lapsus$ hacking group, the investigation is still going.

An Apple representative referred a section of its law enforcement guidelines to Bloomberg News.

According to the guidelines, a government supervisor or law enforcement agent who submitted the request “may be called and asked to confirm to Apple that the emergency request was legitimate.”

In response, Meta spokesperson Andy Stone said. “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Also read | $625 million in Ether stolen in one of the biggest crypto heists

Snap did do respond to a request for comment on the matter right away, but a spokesperson said the company has safeguards in place to detect fraudulent requests from law enforcement.

As a part of criminal investigations, law enforcement around the world often asks for information about its users. In the United States, such requests are normally accompanied by a signed order from a judge. The emergency requests are meant to be utilised in circumstances of imminent danger and do not require a judge to sign off on it.

According to three people involved in the investigation, hackers linked with a cybercrime group known as “Recursion Team” are believed to be behind some of the forged legal requests that were sent to companies during 2021.

Although the Recursion Team is no longer active, many of its members continue to hack under various names, including as part of Lapsus$, the people said.

According to one of the people acquainted with the investigation, the information gathered by the hackers using forged legal requests has been utilised to facilitate harassment campaigns. The three people said that this might be primarily used to facilitate financial frauds schemes. The hackers may exploit the victim’s information to help them bypass account security.

To protect the identities of people targeted, Bloomberg is omitting some specific details of the event.

According to two of the people, the fraudulent legal requests are a part of months-long campaign that began in January 2021 and targeted various IT companies.

Also read | Apple products to get delayed as Foxconn stops ops amidst China’s worst Covid outbreak

These forged requests were disguised as genuine. According to two of the people, the documents included the forged signatures f real or fictional law enforcement authorities in some instances. According to one of the people, the hackers may have found valid legal requests by hacking into law enforcement email systems and later using them as a template to create forgeries.

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

According to Krebs on Security on Tuesday, reported that hackers had forged an emergency data request to collect information from social media platform Discord. Discord confirmed in a statement to Bloomberg that it had also fulfilled a forged legal request.

“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said in a statement. During its verification process revealed that the law enforcement account was genuine, it later discovered that it had been hacked by a criminal entity.

Both Apple and Meta post information about how they respond to emergency data demands. Apple received 1,162 emergency requests from 29 countries between July and December 2020. According to its report, Apple responded to 93 per cent of those requests. Meta received 21,700 emergency requests between January to June 2021 globally and said it provided responded to 77 per cent of those requests.

Also read | Altering code can reduce bitcoin energy consumption by 99%, say climate groups

According to Nixon of Unit 221B, a feasible solution to the use to the forged legal demands made from hacked law enforcement email systems will be tough to identify.

“The situation is very complex,” said Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, Inc. “Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”

Watch | Australia sues social media giant Meta over Fraud Ads







