We learned last month that Apple was tricked into releasing personal data to hackers, after they posed as law enforcement officials with emergency data requests. A follow-up report reveals that some of this data was used to sexually extort minors.
The latest report also sheds light on how the hackers were able to fool Apple and other tech giants, including Facebook, Google, Snap, Twitter, and Discord …
Background
Usually, a company will only release customer data to law enforcement officials on receipt of a court order, and even then will scrutinize the request carefully, sometimes offering to supply only part of the data requested.
As this process takes time, there is an emergency data request procedure for use when there is an immediate risk of harm to one or more individuals. In these cases, companies do check that the request comes from a legitimate law enforcement contact, but supply the information first, and ask questions later.
Hackers used fake emergency data requests to persuade Apple and other companies to release user data. A new report explains how the data was misused, and provides some information on how the companies were fooled.
How Apple was tricked
Bloomberg reports that the attack generally relies on being able to use hacking or phishing to gain access to law enforcement email systems, so that the source of the requests appears genuine.
Cascade attacks used to extort victims
Although the data doesn’t sound like it amounts to much, it does provide enough information to allow further hacks and phishing attacks to be carried out against individual victims. Both perpetrators and victims are reported to include children.
The exact method of the attacks varies, but they tend to follow a general pattern, according to the law enforcement officers. It starts with the perpetrator compromising the email system of a foreign law enforcement agency.
Then, the attacker will forge an “emergency data request” to a technology company, seeking information about a user’s account, the officers said. Such requests are used by law enforcement to obtain information amount online accounts in cases involving imminent danger such as suicide, murder or abductions […]
The data provided varies by companies, but generally includes the name, IP address, email address and physical address. Some companies provide more data.
Bloomberg reports that some of the cases were horrifically extreme.
The attackers have used the information to hack into victim’s online accounts or to befriend the women and minors before encouraging them to provide sexually explicit photos, according to the people. Many of the perpetrators are believed to be teenagers themselves based in the US and abroad, according to four of the people.
The use of fake emergency data requests from legitimate law enforcement email addresses is a huge issue because it risks harm however companies respond. If they do release data with minimal checks, they run the risk of handing over personal information to hackers. If they delay long enough for more involved checks, it may be too late to help victims in genuine cases.
Perpetrators have threatened to send sexually explicit material provided by the victim to their friends, family members and school administrators if they don’t comply with the demands, according to the people. In a few instances, the victims have been pressured to carve the perpetrator’s name into their skin and share photographs of it
The obvious risk is that this becomes an increasingly common tactic. Significant resources need to be put into preventing and detecting this crime, and the punishment needs to reflect the severity of the potential consequences.
Photo: Alexander Krivitskiy/Unsplash