An incredibly sophisticated type of cyber attack is being carried out by groups of teenagers posing as law enforcement officials.
According to a report by Bloomberg, both Apple and Meta fell prey to a scam where hackers faked emergency data request orders. Usually sent by law enforcement officials investigating criminal cases, those data requests apparently can be forged relatively easily.
Both Apple and Meta believed the phony emergency data requests and handed over information about their users, from IP addresses to phone numbers and, in some cases, home addresses.
According to Krebs on Security, an expert in the area, these attacks involve a hacker first gaining access to a police department’s email systems. Then, they can pose as a law enforcement agent, forge data requests and ask tech companies like social media platforms to hand over data of their users.
What for? Security experts say that usually the teenagers are trying to doxx individuals, which means to find out and post their personal information online as part of vendettas or extortion schemes.
Just at the end of March, Bloomberg also reported that a UK teen living near Oxford University was the mastermind behind the Lapsus$ hacking group.
That group claimed credit for hacking company data belonging to Nvidia, Samsung, Microsoft and Ubisoft, among others. The UK teenager in question, using the aliases “Oklaqq” and “WhiteDoxbin”, also owned a website where people can both post and find out other people’s personal information and addresses to carry out doxxing attacks.
Now, he and other teenagers from around the world are suspects of having changed their aliases and being members of a hacking group called Recursion Team. Seven individuals suspected of being part of the Lapsus$ hacking group were arrested by London police.
When asked for comment, Andy Stone, the policy and communications director for Meta, told The Verge that they “review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse”.
They also say they’re working with law enforcement to respond to incidents involving suspected fraudulent requests.
The Verge also contacted Apple, who directed them to their law enforcement guidelines, which state that, when Apple receives customer data requests, their policy is to contact the organization to ask for confirmation of the request.