Law enforcement and investigators are trying to assess the scope of this new data stealing tactic, which is said to have become more prevalent recently.
Tech companies including Meta, Apple, Google, Snap, Twitter and Discord have been tricked into giving the personal information of customers in response to fake legal requests, and the data was used in some cases to harass and sexually exploit minors, according to a Bloomberg report.
Three people familiar with an investigation into the matter told Bloomberg that these companies have all complied with fraudulent requests, though the number of successful requests is unclear.
Google confirmed to the publication that it uncovered a fraudulent data request last year, while other companies did not go into detail or refused to comment.
It was reported last month that Apple and Meta provided user data to cybercriminals last year who requested information using fraudulent ‘emergency data requests’, which can be made when officials require speedy access to data.
Sources told Bloomberg that it can be difficult for companies to know when they have been tricked in this manner, as the requests can look like they come from legitimate law enforcement agencies.
At that time, three people familiar with the matter told Bloomberg that hackers compromised law enforcement accounts and requested sensitive user data such as a customer’s address, phone number and IP address. They appeared to use the data mainly for financial fraud schemes.
In a further report published this week, sources told Bloomberg that personal information obtained in this method was used to befriend women and minors before encouraging them to provide sexually explicit photos.
If the demands weren’t met, hackers reportedly used harassment techniques, such as calling a fake threat to local law enforcement with the victim’s address or threatening to leak personal information online.
Newest criminal tool
Law enforcement officials and investigators told Bloomberg that the method has become more prevalent in recent months and appears to be the newest criminal tool being used to obtain personal information for both harassment and financial gain.
A Krebs on Security report published last month also said the tactic of compromising accounts tied to law enforcement and then sending unauthorised emergency data requests is becoming more common.
Tech companies have strict rules about who they hand out user data to. Usually, law enforcement officials can make requests for information as part of criminal investigations – but, in the US for example, must submit an official court-ordered warrant or subpoena.
However, an emergency request can be submitted in certain cases involving imminent danger, which can bypass official rules and court-approved documents. But hackers may now be trying to compromise this system.
Krebs on Security previously reported that at least one of the emergency requests for data sent to Discord was fulfilled.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.