Apple and Meta are two companies you least expect to be scammed. But it’s not the first time Big Tech giants are making the headlines for the wrong reasons. This time, hackers pretending to be law enforcement officials obtained customer data from the two powerhouses. The same group has also targeted Snap Inc and the popular messaging app Discord.
Bloomberg reports that attackers tricked Apple and Meta into handing over information such as customer addresses, phone numbers, and IP addresses by forging emergency data requests. Generally, you’d need a search warrant or a subpoena signed by a judge to obtain such confidential data. However, emergency requests don’t need a court order.
How Apple and Meta let it happen
Bloomberg’s sources indicate that attackers used the oldest trick in the scamming repertoire – a classic phishing impersonation. First, they compromised the email accounts of the law enforcement agencies in several countries, then used professionally-looking legal templates with fake signatures of genuine and made-up law enforcement officials to carry out the scam.
If you’re wondering whether this was a sophisticated scheme, far beyond what companies might expect, it wasn’t. Most likely, hackers bought passwords from the dark web and forged the common practice of requesting information from social media platforms during a criminal investigation.
As expected, Apple and Meta representatives were quick to shrug off the incident.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse, We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case. ” Meta spokesman Andy Stone said in a statement.
Who was behind the attack?
All clues lead to the hackers known as Recursion Group. While the group is no longer active, some of its members, including minors in the UK and US, are believed to run cyber attacks on behalf of the notorious group Lapsus$, which has targeted many prominent tech giants like Samsung, Nvidia, and Microsoft. The UK Police have been hot on their heels and have already arrested seven people with suspected ties to the Laspus$ group.
How to prevent such fraud?
If we follow the chain of events that led to the attack, it all started with the law enforcement agencies and their questionable security hygiene. To prevent account takeover attacks, agencies should increase the cyber security awareness of their employees and establish strict password protocols across all departments.
A strong password has at least 12 characters and a mix of uppercase and lower case letters, numbers, and symbols. The most efficient way to manage passwords on multiple accounts is to use a password generator service.
As for the victims themselves, it’s a bit trickier for the likes of Apple and Meta to instantly flag such schemes without a centralized system in place for submitting such requests. With so many jurisdictions and law enforcement agencies worldwide, keeping track of all laws on data collection in conjunction with criminal investigations is a challenge that still awaits a solution.
One potential measure is to create a universal portal where law enforcement must log in to request data, but while it looks good on paper, implementing it in the real world across all jurisdictions could be a matter of years. Here are a few stats on the frequency of such requests:
Apple received 1,162 emergency requests from 29 countries between January to June 2021 and responded to 93%, while Meta got 21,700 requests in the same period and answered 77%.
Data breach photo created by rawpixel.com – www.freepik.com