A handful of Big Tech firms have been conned into turning over user data in response to phony law enforcement requests – data that is then used to extort and sexually harass those users, several informed sources told Bloomberg on Tuesday.
Companies including Google, Apple, Meta, Twitter, Snap, and Discord have been duped into supplying user data to malicious actors who then use the information to extort their victims, the sources claim. The fake law-enforcement officers reportedly target specific women and minors, sometimes coercing them into creating and sharing sexually explicit material by using threats of retaliation.
While these scams initially appeared to focus on financially extorting their victims, sexual extortion schemes have become disturbingly popular, according to Bloomberg’s law enforcement sources. They typically begin with a hacker compromising a law enforcement agency’s email system and forging an “emergency data request” targeting a particular social media user. When the company provides the requested information, the hacker can use it to compromise the target’s social media accounts outright or befriend them over a period of time, eventually coercing or blackmailing them into providing sexually explicit photos or videos.
Victims who don’t cooperate are subject to an array of retaliation tactics including “swatting,” a potentially deadly prank that involves calling in a fake threat to a local 911 dispatcher. Police sent to the target’s home may be told the individual is violent, leading to potentially deadly confrontations. Others may have their personal information posted to dedicated doxxing websites, inviting random miscreants to torment them at will. Those duped into providing sexually explicit material are told the offending photos will be sent to family members, friends or employers.
Because emergency requests don’t require a court order signed by a judge, they are relatively easy to manufacture, and the social media companies themselves are not required to fork over the data. However, most supply the information anyway, especially if the request references a situation of “imminent danger” such as kidnapping, suicide or murder.
Companies willingly turn over the names, IP addresses, emails, physical addresses, and sometimes even more information in response to such requests – often responding in the same way as they would to a court-ordered subpoena. And in some cases, the fake requests do come accompanied by a judge’s forged signature, which can reportedly be purchased for as little as $10 on the dark web.
Former Facebook chief security officer Alex Stamos called for police departments and tech firms to step up their security, requiring confirmation callbacks and multi-factor authentication to make it more difficult to spoof calls or emails from the authorities.
Spokespeople from Facebook, Google, Discord and Snap insisted that they work with law enforcement to “validate” legitimate data requests, while Twitter and Apple declined to comment on the matter. When requested, the companies provide the desired data in the vast majority of cases, even without a court order. Apple reportedly complies with 93% of emergency requests, while Meta allegedly supplies data in response to 77% of inquiries.
Reports of hackers and other criminals conning Big Tech firms into supplying user information initially surfaced last year, with at least one of the culprits – a teenager – linked to British cybercrime ring Lapsus$, a group with a history of allegedly hacking Microsoft, Samsung and Nvidia. While many if not most of the perpetrators are believed to be minors, this should not put law enforcement off prosecuting them to the fullest extent of the law, according to Allison Nixon, chief research officer at cybersecurity firm Unit 221b. “We are now witnessing their transition to organized crime, and all the real-world violence and sexual abuse that comes with it,” she said, urging authorities to try these “serious” offenders as adults.