Hackers Trick Facebook, Meta, Receive Customer Information

Facebook’s parent company, Meta Platform Inc., and Apple Inc. have been tricked by hackers who paraded themselves as law enforcement officials to receive customer data which could be used for harassment and aid financial fraud.

According to reports, the hackers who sent the forged requests are minors located in the U.K. and the U.S. It is believed that one of the minors is also suspected to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co., and Nvidia Corp., among others.

Apple and Meta were said to have provided basic subscriber details, such as a customer’s address, phone number, and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, emergency requests don’t require a court order.

Snap Inc. also received a forged legal request from the same hackers, but it isn’t known whether the company provided data in response. It’s also not clear how many times the companies provided data prompted by forged legal requests.

Facebook reacted to this issue through its spokesman, Andy Stone who said; “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse.”

Apple on the other hand pointed at a section of its law enforcement guidelines that says that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Law enforcement around the world routinely asks social media platforms for information about users as part of criminal investigations. In the U.S., such requests usually include a signed order from a judge. The emergency requests are intended to be used in cases of imminent danger and don’t require a judge to sign off on them.

According to a report, hackers affiliated with a cybercrime group known as the “Recursion Team” are believed to be behind some of the forged legal requests, which were sent to companies throughout 2021.

It is said that the Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$.

A source stated that the information obtained by the hackers using the forged legal requests has been used to enable harassment campaigns. It was added that it may be primarily used to facilitate financial fraud schemes when the victim’s information is known.

There’s no one system or centralized system for submitting these things, every single agency handles them differently.

Apple and Meta both publish data on their compliance with emergency data requests. From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests.

Meta said it received 21,700 emergency requests from January to June 2021 globally and provided some data in response to 77% of the requests.

Explaining how systems for requesting data from companies works, Jared Der-Yeghiayan, a director at cybersecurity firm Recorded Future Inc. and former cyber program lead at the Department of Homeland Security, said: “There’s no one system or centralized system for submitting these things, every single agency handles them differently.”

Companies such as Meta and Snap operate their portals for law enforcement to send legal requests, but still accept requests by email and monitor requests 24 hours a day, Der-Yeghiayan said.

Compromising the email domains of law enforcement around the world is in some cases relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces.

“Dark web underground shops contain compromised email accounts of law enforcement agencies, which could be sold with the attached cookies and metadata for anywhere from $10 to $50,” said Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, Inc.

Leave a Reply

Inline Feedbacks
View all comments