Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.
The companies that have complied with the bogus requests include Meta Platforms Inc, Apple Inc, Alphabet Inc’s Google, Snap Inc, Twitter Inc and Discord Inc, according to three of the people. All of the people requested anonymity to speak frankly about the devious new brand of online crime that involves underage victims.
The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse, according to the six people.
The tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but to extort and harass innocent victims.
It is particularly unsettling since the attackers are successfully impersonating law enforcement officers. The tactic is impossible for victims to protect against, as the best way to avoid it would be to not have an account on the targeted service, according to the people.
It’s not clear how often the fraudulent data requests have been used to sexually extort minors. Law enforcement and the technology companies are still trying to assess the scope of the problem. Since the requests appear to come from legitimate police agencies, it’s difficult for companies to know when they have been tricked into giving out user data, the people said.
Nonetheless, the law enforcement officials and investigators said it appears the method has become more prevalent in recent months.
“I know that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children,” said Alex Stamos, a former chief security officer at Facebook who now works as a consultant.
“Police departments are going to have to focus on preventing account compromises with multifactor authentication and better analysis of user behaviour, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers,” Stamos said.
A Google spokesperson said, “In 2021, we uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials. We quickly identified an individual who appeared to be responsible and notified law enforcement. We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests.”
Facebook workers review every data request for “legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse”, a spokesperson said. Similarly, Rachel Racusen, a Snap spokesperson, said the company carefully reviews each request it gets from law enforcement “to ensure its validity and have multiple safeguards in place to detect fraudulent requests”.
A Discord spokesperson said they validate all emergency requests. Twitter and Apple declined to comment.
Emergency requests typically don’t include a court order signed by a judge, so companies are usually under no legal obligation to provide data. But it is a generally accepted practice that companies will turn over limited data in response to “good faith” requests by law enforcement involving imminent danger.
Last month, Bloomberg News reported that Apple and Meta, the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials. At that time, three people familiar with the matter said the fake requests appeared to be primarily used for financial fraud schemes.
The exact method of the attacks varies, but they tend to follow a general pattern, according to the law enforcement officers. It starts with the perpetrator compromising the email system of a foreign law enforcement agency.
Then, the attacker will forge an “emergency data request” to a technology company, seeking information about a user’s account, the officers said. Such requests are used by law enforcement to obtain information amount online accounts in cases involving imminent danger such as suicide, murder or abductions.
In return, the companies provide the attacker with basic subscriber information – the same data provided to law enforcement in response to a court-ordered subpoena, said law enforcement officials and people familiar with the legal processes.
The data provided varies by companies, but generally includes the name, IP address, email address and physical address. Some companies provide more data.
Though seemingly innocuous, such personal data in the wrong hands can be weaponised. The attackers have used the information to hack into victim’s online accounts or to befriend the women and minors before encouraging them to provide sexually explicit photos, according to the people. Many of the perpetrators are believed to be teenagers themselves based in the US and abroad, according to four of the people.
If the victims don’t comply with the demands, the attackers have used several harassment techniques to retaliate, according to the people.
One technique that has been deployed is called “swatting”, where perpetrators call in a fake threat to a local 911 dispatcher in order to generate a law enforcement response to the address of their target. In multiple instances, underage women have been swatted at their homes and schools, the US federal law enforcement officials said.
Another approach, called doxxing, involves publishing the detailed personal information, including phone numbers and physical addresses of victims and their family members, online. The information, which is sometimes obtained in part by fraudulent legal requests, is usually posted on sites dedicated to doxxing, which essentially serve as an open invite for other people on the site to harass the victim.
In addition, perpetrators have threatened to send sexually explicit material provided by the victim to their friends, family members and school administrators if they don’t comply with the demands, according to the people. In a few instances, the victims have been pressured to carve the perpetrator’s name into their skin and share photographs of it, according to the law enforcement officials and online chat transcripts reviewed by Bloomberg.
The problem of forged legal requests is prompting companies to think of new ways to verify legitimate legal requests, according to a dozen people who are familiar with the matter.
“Fraudulent emergency data requests abuse the ‘good faith’ basis of imminent harm, but fraudsters have also been known to spoof legitimate legal process such as subpoenas and search warrants by counterfeiting a judge’s signature,” said Matt Donahue, founder of Kodex, which creates software for companies to manage legal requests.
In a statement last month, US Senator Ron Wyden, a Democrat from Oregon, said he was requesting information from technology companies about the practice of forged legal requests.
“I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals,” Wyden said. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed.”
Allison Nixon, chief research officer at the cybersecurity firm Unit 221b, said the threat from underage perpetrators should be prioritised by the computer security industry and law enforcement.
“We are now witnessing their transition to organised crime, and all the real world violence and sexual abuse that comes with it,” Nixon said, adding that juvenile hackers are causing serious harm, so “we need to start treating them like adults”. – Bloomberg