Big tech data given to fake legal requests reportedly used to harass minorsLeigh Mc Gowranon April 27, 2022 at 13:59 Silicon RepublicSilicon Republic


Tech companies Meta, Apple, Google, Snapchat, Twitter and Discord have been tricked into giving the personal information of customers to fake emergency legal requests, and the data was then used in some cases to harass and sexually exploit minors, according to a Bloomberg report.

Three people familiar with an investigation told Bloomberg that these companies have all complied with fake legal requests, though the number of successful requests is unclear.

Sources told Bloomberg that it can be difficult for companies to know when they have been tricked, as the requests look like they came from legitimate police agencies.

In the known cases, the hackers compromised law enforcement accounts and requested sensitive user data such as a customer’s name, address, email and IP address. It was noted that the data provided varies by company and that some companies provide more data.

Law enforcement officials and investigators told Bloomberg the method appears to have become more prevalent in recent months.

A Google spokesperson told Bloomberg that it uncovered one of these fraudulent data requests coming from “malicious actors posing as legitimate government officials” last year.

“We quickly identified an individual who appeared to be responsible and notified law enforcement,” the spokesperson told Bloomberg. “We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests.”

A Facebook spokesperson told Bloomberg that its workers review every data request for “legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse”.

Snapchat spokesperson Rachel Racusen said the company carefully reviews each request it gets from law enforcement “to ensure its validity and have multiple safeguards in place to detect fraudulent requests.”

A Discord spokesperson said they validate all emergency requests, while Twitter and Apple declined a Bloomberg comment request.

While data requests like this usually require documents signed by judges or search warrants, Bloomberg reported that special ‘emergency data requests’, like the ones the hackers used, can be made when officials require speedy access to data.

Bloomberg reported that it is a generally accepted practice that companies turn over limited data in response to “good faith” requests by law enforcement which involve imminent danger.

It was reported last month that Apple and Meta provided user data to cybercriminals last year who requested information using this method. At that time, three people familiar with the matter told Bloomberg that the fake requests appeared to be mainly used for financial fraud schemes.

In some of the new reported examples, sources told Bloomberg that the personal information was used to befriend women and minors before encouraging them to provide sexually explicit photos.

If the demands weren’t met, the hackers used several harassment techniques, such as calling a fake threat to local law enforcement with the victim’s address or threatening to leak personal information online.

Former chief security officer at Facebook, Alex Stamos, told Bloomberg that police departments should focus on preventing account compromises through the use of multi-factor authentication, while tech companies should implement a “confirmation callback policy” and push law enforcement to use dedicated portals, to detect account takeovers easier.

Newest criminal tool

Law enforcement and other investigators told Bloomberg that this tactic appears to be the newest criminal tool being used to obtain personal information for both harassment and financial gain.

Sources told Bloomberg that the tactic is impossible for victims to defend against and the best way to avoid it is to not have an account on targeted services.

Krebs on Security report published last month said the tactic of compromising accounts tied to law enforcement and then sending unauthorised emergency data requests is becoming more common.

Tech companies have strict rules about who they hand out user data to. Usually, law enforcement officials can make requests for information as part of criminal investigations – but, in the US for example, must submit an official court-ordered warrant or subpoena.

However, an emergency request can be submitted in certain cases involving imminent danger, which can bypass official rules and court-approved documents. But hackers may now be trying to compromise this system.

According to Apple’s legal process guidelines, if a law enforcement agency wants customer data under an emergency request, “a supervisor for the government or law enforcement agent who submitted [the request] may be contacted and asked to confirm to Apple that the emergency request was legitimate”.

Krebs on Security previously reported that at least one of the emergency requests for data sent to Discord was fulfilled.

“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies,” the company wrote in a statement.

“While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

The post Big tech data given to fake legal requests reportedly used to harass minors appeared first on Silicon Republic.

Leave a Comment