Tech giants have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and sexually extort children, according to four federal law enforcement officials and two industry investigators.
Tech Giants Duped to Give Data
The tech companies that have reportedly complied with the bogus requests are Apple, Meta, Alphabet Inc., Twitter, Snap, and Discord, according to Business Telegraph.
All of the people who revealed the incident requested anonymity to speak frankly about the devious new brand of online crime that involves underage children.
The fraudulently obtained data has been used to target minors and women, specifically. In some cases, it was used to pressure them into creating and sharing sexually explicit materials and to retaliate against them if they refuse to comply.
According to Bloomberg, the tactic is considered by law enforcement and other investigators to be the latest criminal tool to obtain personally identifiable information that can be used not only for financial gain but also to extort and harass the victims.
It is very unsettling because the attackers are successfully impersonating law enforcement officers. The tactic is impossible for victims to protect against, as the best way to avoid it would be to not have an account on the targeted service.
It is not clear how often the fraudulent data requests have been used to extort children. Law enforcement and the technology companies are still trying to assess the scope of the problem.
Since the requests appear to come from legitimate police agencies, it is challenging for companies to know when they have been tricked into giving out user data, according to NewsMax.
Fraudulent Data Requests Revealed
Alex Stamos, a former chief security officer at Facebook who now works as a consultant, said that he knows that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that the mechanism is being abused to exploit children.
Stamos said that police departments are going to have to focus on preventing account compromises with multifactor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use the portals where they can better detect account takeovers.
A Google spokesperson also talked about the reveal and said that in 2021, they uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials.
They quickly identified an individual who appeared to be responsible and notified law enforcement immediately. They are actively working with law enforcement and others in the tech industry to detect and prevent illegitimate data requests.
Facebook workers who review every data request for legal sufficiency said that they use advanced systems and processes to validate law enforcement requests and detect abuse.
Similarly, the spokesperson for Snap, Rachel Racusen, said that the tech company carefully reviews each request it gets from law enforcement to make sure of its validity. They also have multiple safeguards in place so they can detect fraudulent requests faster.
In 2021, REvil ransomware group sent extortion threats to Apple.
In 2022, Microsoft confirmed that extortion group LAPSUS$ released stolen data online.
This article is owned by Tech Times
Written by Sophie Webster