Apple and Meta (Facebook), two of the world’s largest technology companies, shared their users’ private information, such as addresses, phone numbers and IP addresses, to hackers who they posed as police officersas reported Bloomberg, who has had access to details of the ongoing investigation. The two companies fell for the trap in mid-2021, thinking that the “emergency data request” sent by cybercriminals was real.
The emergency data request (EDR) is a kind of legal procedure that can be used by security agents in order to obtain the necessary information from a user to be able to carry out an investigation. These types of requests does not require a court order, given that it is considered urgent and is carried out, in most cases, when there is a life or death situation. Apple, Meta and other companies are forced to share this data once they verify that the request is real.
Both Apple and Meta, in fact, seem to have a rigorous system for verify that the procedure is legitimate. “We review each data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone told the outlet. But how could they have provided data to a bogus request?
Accept or reject the request, a life or death decision
According to investigations, hackers could have sent the fake emergency data requests via real police directions. Falsifying, in addition, the signatures of the agents. Accessing internal police systems seems like a simple task for cybercriminals, and the practice of sending data requests in order to obtain information from users is, he says. Krebs on Security, “highly effective”. Mainly, because the affected companies —such as Apple and Meta, in this case— are forced to accept a request of these characteristics when considering that the life of one or more people may be at risk.
It is not the first time that this method is used to obtain private information from users who use a platform. According Bloomberg, the practice of falsifying “emergency data requests” began in January 2021, targeting a wide variety of companies operating in the technology sector. Snap Inc. (Snapchat’s parent company) also appears to be one of those affected. However, it is unclear whether the company ultimately agreed to the request and shared its users’ data with the hackers.
Even so, Meta, Apple, and other companies that can suffer this type of attack or that have already been involved in similar scams, have different security measures to avoid future incidents.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Andy Stone, spokesperson for Meta
Who is behind the Apple and Meta hack?
Everything indicates that the attack on Apple and Meta was organized by a teen hacker team and minors located in the United States and the United Kingdom. The team called itself ‘Recursion Team’ when they started this practice, but according to investigations, it would currently be dissolved.
Many of the members now seem to be part of part of LAPSUS$, the “Latin American” team that hacked Nvidia, Microsoft, Okta, Samsung or Mercado Libre. Interestingly, the London Police arrested seven members of the group just a few days ago. One of them, the alleged leader of LAPSUS $ and who could also be involved in hacking different companies through the request for emergency data, is 16 years old and lives with his parents in Oxford.
–
