Hackers fooled Meta, Apple by sending forged emergency requests, acquired customer data

Cybercriminals are getting more aggressive and cunning nowadays that even big tech companies fall into their traps. Two of the companies that experienced such crime are Apple and Meta, as said by the three knowledgeable individuals that Bloomberg talked to. According to them, the tech companies provided some data to the cybercriminals who forged legal requests in 2021.

The customer’s address, phone number, and IP address are some of the details that were shared by the companies after receiving fraudulent emergency data requests. They are usually requested by law enforcement officials to use them to solve the cases they handle. When presenting the request, it is accompanied by a search warrant or subpoena, but in the case of “emergency data requests,” such requirements are not needed as the request could be about an urgent matter like life-threatening cases.

“In emergencies, law enforcement may submit requests without legal process,” Meta says on its website. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”

With this, the sources said that Apple and Meta released the data to comply with the emergency request. Meta reported that it received a total of 21,700 emergency requests from January to June 2021 around the globe, to which it responded to 77% of them. Meanwhile, Apple said that it was contacted by 29 countries totaling 1,162 emergency requests, wherein 93% of the requests were granted. Snap Inc. also received a request, though it isn’t clear whether it answered it. Discord, on the other hand, confirmed that it also received an emergency data request that it later permitted.

“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

On the other side of the coin, Apple has clear guidelines for processing the request. It reads:

“If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

It wasn’t mentioned if the guidelines were observed during the compliance with the forged emergency requests.

Meta’s statement reflects the same idea:

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” said Andy Stone, Meta spokesman. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

According to the people who detailed the case to Bloomberg, the individuals behind the case might probably be teenagers from the US and the UK, with one of them suspected to be the mastermind behind the cybercrime group Lapsus$. Yet, in general, the bad actors responsible for the crime are said to be related to the group called “Recursion Team” that is not active anymore, though its members are still performing the crimes under different names. 

The plot of the crime starts by penetrating the law enforcement email domains globally. From there, the criminals will find a template of a legal request, which they will use later. Using the found format, bad actors will forge signatures and even create names to make the letter look credible. However, the individuals who disclosed the information reported a detail that seems more disturbing than the issue being tackled: the login details of these domains are being sold in the dark web underground shops with all the attached cookies and metadata needed.