Big tech companies have been tricked into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators, who requested anonymity in order to be able to speak frankly about this new form of online crime that involves underage victims. Some of the companies that have accessed these bogus claims include Meta, Apple, Alphabet’s Google, Snap, Twitter, and Discord.
Fraudulently obtained data has been used to target specific women and minors and, in some cases, to pressure them into creating and sharing sexually explicit content and to retaliate against them if they refuse, according to the six source people. This tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but also to extort and harass innocent victims. . It is all the more troubling that the attackers manage to pass themselves off as law enforcement officers. It is impossible for victims to protect themselves against this tactic, as the best way to avoid it would be to not have an account on the service concerned, according to the people mentioned.
Hackers posing as law enforcement
It is not known how many times fraudulent data requests have been used to sexually extort minors. Police departments and tech companies are still trying to gauge the extent of the problem. Because the requests appear to come from legitimate law enforcement agencies, it’s hard for companies to know when they’ve been tricked into releasing user data.
Nonetheless, law enforcement officials and investigators said it appears the method has become more common in recent months. “I know that emergency data requests are used every day in real life-threatening emergencies, and it is tragic that this mechanism is being misused to sexually exploit children,” said Alex Stamos, former head of security at Facebook, who now works as a consultant.
Law enforcement agencies are going to have to focus on preventing account compromises with multi-factor authentication and better analysis of user behavior, and tech companies should implement a confirmation reminder policy as well as push security forces. order to use their dedicated portals where they can better detect account takeovers, Stamos added.
A Google spokesperson said: In 2021, we discovered a fraudulent data request from malicious actors posing as legitimate government officials. We quickly identified an individual who appeared to be responsible and informed law enforcement. We actively work with law enforcement and other industry players to detect and prevent illegitimate data requests.
Facebook employees review each data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse, a spokesperson said. Similarly, Rachel Racusen, a spokeswoman for Snap, said the company carefully reviews every request it receives from law enforcement to ensure its validity and has multiple safeguards in place to detect fraudulent claims. A Discord spokesperson said they approve all emergency requests.
How do hackers do it?
Emergency requests typically do not include an order signed by a judge, so companies generally have no legal obligation to provide data. But it is generally accepted that companies release limited data in response to “good faith” requests from law enforcement involving imminent danger. Last month, we reported that Apple and Meta, Facebook’s parent company, provided data about their customers to hackers posing as law enforcement agents. The bogus claims appeared to be used primarily for financial fraud.
The exact method of the attacks varies, but they tend to follow a general pattern, according to law enforcement officials. The attacker begins by compromising the email system of a foreign police department. Next, the attacker makes an “emergency data request” to a technology company to obtain information about a user’s account, the agents said. These requests are used by law enforcement to obtain information about online accounts in cases of imminent danger such as suicide, murder or kidnapping.
In exchange, the companies provide the attacker with basic subscriber information — the same data provided to law enforcement in response to a court-ordered subpoena, law enforcement officials said. and people familiar with legal proceedings. The data provided varies by company, but typically includes name, IP address, email address and physical address. Some companies provide more data.
Although seemingly harmless, this personal data, in the wrong hands, can be used as a weapon. Attackers used this information to hack victims’ online accounts or to befriend women and minors before encouraging them to provide sexually explicit photos. According to the sources, most of the attackers are themselves teenagers based in the United States and abroad.
If the victims do not comply with their demands, the aggressors use several harassment techniques to retaliate.
One of the techniques deployed is “swatting”, in which the attackers send a false threat to a local 911 dispatcher in order to obtain an intervention from the police at the address of their target. In many cases, underage women have been victims of swatting at their homes and schools, federal law enforcement officials said.
Another approach, called doxxing, involves posting detailed personal information online, including phone numbers and physical addresses of victims and their family members. This information, which is sometimes obtained in part through fraudulent legal requests, is usually posted on doxxing sites, which essentially serve as an open invitation for others on the site to harass the victim.
In addition, the perpetrators threatened to send sexually explicit content provided by the victim to her friends, family members and school administration if she did not comply with their requests, according to those concerned. In a few cases, victims were pressured to carve the attacker’s name onto their skin and share photos of it, according to law enforcement officials.
The problem of falsified legal claims is prompting companies to think of new ways to verify legitimate legal claims, according to a dozen people familiar with the matter. Fraudulent emergency data requests abuse the ‘good faith’ basis of imminent harm, but fraudsters have also been known to usurp legitimate legal process such as subpoenas and search warrants by forging the signature of a judge,” said Matt Donahue, founder of Kodex, which creates software that helps businesses manage legal requests.
Allison Nixon, head of research at cybersecurity firm Unit 221b, said the threat of underage perpetrators should be a priority for the computer security industry and law enforcement. “We are now seeing their transition into organized crime, with all the real-world violence and sexual abuse that comes with it,” Allison Nixon said, adding that underage hackers cause serious damage and we need to start treating them like criminals. adults.
What do you think ?
In your opinion, should technology companies perform more checks before disclosing users’ personal information?
See as well :
Apple and Meta shared data with hackers posing as law enforcement officers, who put emergency data requests
16-year-old from Oxford accused of being the mastermind behind the Lapsus$ cybercriminal group that hacked into Microsoft, Nvidia, Samsung, LG Electronics and other companies in months