A number of the biggest tech companies in the world are being duped by bad actors posing as law enforcement agencies and personnel into handing over data about their users. This data has since been used by these bad actors to harass, blackmail and sexually extort these users, including minors.
According to a new report by Bloomberg, almost all of the major tech companies dealing with social media and communication tools have been targeted. Among those who handed over data to the fake legal requests include Apple, Google, Snap, Twitter, Meta and Discord. The modus operandi starts with these bad actors hacking into the email system of a foreign law enforcement agency. They would then create an ’emergency data request’ to one of these tech firms, typically asking for a specific user’s account details such as name, IP address, physical address, email details and more.
Real law enforcement agencies do sometimes make these requests, as authorities can use this information in cases that involve suicide, murder, kidnapping and the like. Companies will typically comply with these requests too out of good faith, but when such sensitive information ends up with these hackers, they become a problem. Attackers have used information gained through these fake legal requests to hack into the online accounts of victims or sometimes befriend women and minors and solicitating explicit photos. If they don’t comply, these hackers will then harass by ‘swatting’ or ‘doxxing’ their victims. There’s also been a few cases where the attackers forced their victims into carving their name into their skin, before sharing images of it elsewhere.
“I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals. No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” – Ron Wyden, US Senator
US federal law enforcement agencies are now working together with industry investigators on the issue. Discord have since said that they validate all emergency legal requests, while Facebook stated that they review every data request for ‘legal sufficiency’ and have a number of advanced systems in place to validate legal requests and detect abuse. Google meanwhile also responded to Bloomberg, stating that they first saw fake requests from bad actors pretending to be law enforcement last year and contacted the authorities over it.
“In 2021, we uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials. We quickly identified an individual who appeared to be responsible and notified law enforcement. We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests,” – Google spokesperson
It’s a shame to see that user data can so easily be given away like this, but in these companies’ defense, emergency data requests are usually helpful for authorities in real life-threatening situations. However, in light of this new tactic by hackers, authorities around the world will need to start improving their own cybersecurity while the tech firms themselves should implement some form of a confirmation callback policy. This way they can prevent more of these fake legal requests from successfully getting away with user data.