How Hackers Get Your Data Using Fake Legal Requests

Group of Hackers

Customers’ data was sent to hackers posing as law enforcement authorities by Apple and Meta Platforms. Only a search warrant or subpoena authorized by a US judge is required for such demands, although emergency requests do not require a court order.

In response to the falsified “emergency data requests,” Apple and Meta gave basic subscriber information in mid-2021.

However, it is really unclear how many times the corporations released information in response to fictitious legal requests.

Some of the hackers making the bogus requests are believed to be minors in the United Kingdom and the United States, according to Cyber Security Researchers.

According to reports, one of the minors is also the brains of Lapsus$, the hacking group that targeted Microsoft, Samsung Electronics, and Nvidia Corp.

Advertisement ~ Scroll to continue

Seven persons were recently detained in connection with a hacking gang investigation by City of London Police; the investigation is still underway.

An Apple spokesperson guided Bloomberg News to a part of the company’s law enforcement guidelines. According to the Apple guidelines, a supervisor for the government or a law enforcement official who filed the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

In a response, Meta spokesperson Andy Stone said, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse.”

“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Snap claims to have systems in place to detect fake law enforcement demands.

In the United States, such petitions are normally accompanied by a judge’s written order.

As part of criminal investigations, law enforcement agencies throughout the world often seek social media networks for information on users.

The hackers may exploit the victim’s information to help them bypass account security once they knew it.

Furthermore, according to one of the persons acquainted with the investigation, the information gathered by the hackers via false legal demands was used to facilitate harassment operations.

Additionally, it might be largely used to promote financial fraud operations, according to the three persons.

According to Bloomberg, the fraudulent requests were crafted to seem real.

According to the sources, hackers may have discovered valid legal demands and employed them as a template to construct forgeries.

According to the three persons and one extra person examining the case, the fraudulent legal petitions are likely to have been sent using hacked email addresses belonging to law enforcement organizations in several nations.

According to two of the respondents, the documents had fake signatures of genuine or imaginary law enforcement authorities in certain cases.

According to Allison Nixon, chief research officer at the cyber firm Unit 221B, “in every instance where these companies messed up, at the core of it there was a person trying to do the right thing.”

“I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

To protect the identity of people targeted, Bloomberg is omitting certain particular details of the incidents.

Hackers falsified an emergency data request to collect information from the social media network Discord, according to Krebs on Security.

Apple and Meta both post information on how they respond to emergency data demands.

Apple received 1,162 emergency requests from 29 countries between July and December 2020.

According to the research, Apple responded to 93% of the requests with data.

Similarly, Discord acknowledged in a statement to Bloomberg that it had also complied with a falsified legal order.

“while our verification process confirmed that the law enforcement account itself was legitimate,” Discord added, “we later learned that it had been compromised by a malicious actor.”

Since then, Discord has started an investigation into this criminal activities and informed law authorities about the compromised email accounts.

From January to June 2021, Meta claimed it received 21,700 emergency requests worldwide and responded to 77% of them with data.

Companies’ data request systems are a patchwork of multiple email addresses and business webpages.

On its website, Meta notes that “In emergencies, law enforcement may submit requests without legal process.” “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”

Jared Der-Yeghiayan, director of Cybersecurity firm Recorded Future Inc. and former cyber program, says there is no one or unified procedure for submitting these items.

He went on to say that while Meta and Snap have its own portals for law enforcement to file legal demands, they continue to accept requests via email and monitor requests 24 hours a day.

According to Apple’s legal guidelines, legal requests for user data can be sent to an email account “provided it is transmitted from the official email address of the requesting agency.”

According to Gene Yoo, Chief Executive Officer of Resecurity, Inc, dark web underground shops offer compromised email accounts of law enforcement organizations, which might be sold with the attached cookies and metadata priced anywhere between $10 and $50.

According to Nixon of Unit 221B, a feasible remedy to the use of falsified legal demands made from stolen law enforcement email systems will be tough to identify.