Personal information obtained from Apple and Google by hackers impersonating law enforcement agencies is being misused for sexual extortion of minors

Technology companies that operate SNS and web services store a lot of user data, and sometimes law enforcement agencies require us to provide the user data necessary for criminal investigations. However, in recent years, it has been confirmed that a hacker impersonating a law enforcement agency sends a 'fake data request' to illegally obtain user data, and asks minors to send sexual images by misusing personal information. It is said that such incidents have also occurred.

Data From Fake Legal Requests Used to Sexually Extort Minors (FB, GOOG, TWTR) --Bloomberg

Apple tricked into releasing data used to sexually extort minors ―― 9to5Mac

In March 2022, foreign media Bloomberg reported that 'a hacker impersonating a law enforcement agency asked Apple and Meta to provide user data, and both companies shared the data accordingly.' In the United States, a court warrant / subpoena is required when requesting the provision of user data, but if there is an imminent danger such as suicide, murder, or kidnapping, an 'urgent data request (urgent data request) that requires data provision without a warrant or subpoena. Emergency Data Requests: EDR) ”can be performed. It is a common practice for companies to follow EDR in good faith, but hackers have abused this to impersonate law enforcement agencies and obtain user data through EDR.

It is clear that Apple and Meta were sharing user data with hackers impersonating law enforcement--GIGAZINE

Bloomberg also spoke with four law enforcement officers and two industry investigators about the fraudulent demands of hackers and the provision of information from major technology companies. Three of them testify that companies that responded to hacker fake requests include Meta, Apple, Google, Snapchat, Twitter, and Discord. All six anonymously testified to Bloomberg that hackers not only use fraudulently obtained personal information for financial gain, but also target women and minors to request the transmission of sexual images. It states that it was abused or used for retaliation in case of refusal.

Hackers use a variety of techniques, but in general, they often infringe the email addresses of foreign law enforcement agencies and use these email addresses to send EDRs to technology companies. It's difficult for tech companies to spot this because the request looks like it was sent by a legitimate law enforcement agency, and the tech company could be fooled by the user's name, IP address, email address, address, etc. I will send the information.

Hackers who obtain this data can hack the victim's online account or request that they become friends with women and minors and send them sexual images. If the victim does not respond to the request, hackers will threaten to ' swatt ' to rush armed police officers by making fake reports and to expose personal information online. According to a law enforcement person who testified to Bloomberg, many of the criminals are teenagers living in the United States and others, and in some cases threatened to 'carve my name on my skin and take a picture.' It was said that.

It is unknown how often fraudulent EDR transmissions are used, but similar techniques have been increasing in recent months. Google, Facebook, Discord, and others who responded to Bloomberg's inquiries responded that they are trying to verify inquiries from law enforcement agencies and detect fraud, but this method of misusing the good intentions of companies Against this, new measures are required.

Democratic Senator Ron Wyden said, 'I'm worried about the prospect that counterfeit EDRs could be sent from compromised foreign law enforcement agencies and used to target vulnerable individuals. No one wants tech companies to reject legitimate urgent requests when someone's safety is threatened, but the current system has obvious weaknesses that need to be addressed. There is. ' Alison Nixon, chief researcher at cybersecurity company Unit 221b , said that boy hackers have moved to organized crime and are engaged in real-world violence and sexual abuse. We need to start treating boy hackers like adults. '

A tool to address the demands of hackers impersonating law enforcement is the Kodex platform, founded by former Federal Bureau of Investigation (FBI) employee Matt Donahue. Kodex is a platform that digitally manages information requests from law enforcement agencies, and it also provides a function to score the email address of the law enforcement agency that sent the request and make it easier to find fraudulent EDRs. .. Mr. Donahue told Krebs on Security, a security-related blog, that fake EDRs often send emails to many companies using the same email address, so by sharing information between companies, fraudsters It claims that EDR abuse is easier to detect.

Fighting Fake EDRs With'Credit Ratings' for Police – Krebs on Security

in Security, Posted by log1h_ik