Reports suggest how tech giants were duped recently into giving in sensitive personal information about their customers in response to fraudulent legal requests. This data, in turn, was reportedly used to harass, along with sexually extorting minors. The details of this incident was revealed by four federal law enforcement officials, along with two industry investigators. According to three of the people, the tech giants falling victims to these inauthentic requests were Meta Platforms, Twitter, Google, Snap, Apple, Discord among others. These people requested to remain anonymous throughout the investigation in order to speak freely.
The data gained fraudulently was reportedly put in use to target certain women and children in particular. The investigators and officials revealed how the data was at time used to pressurise them into making and sharing sexually explicit content, and retaliating against them in case of refusal. Law enforcement, along with other investigators consider this tactic to be one the newest criminal methods to gain such information. Such personally identifiable data can be used not only financial profit, but also to extort and harass victims. With attackers successfully posing as law enforcement officers, one cannot determine how to differentiate between such requests.
“I know that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children,” said Alex Stamos, a former chief security officer at Facebook who now works as a consultant.
Currently, it is not clear as to how the data acquired fraudulently was used to sexually extort minors. With the requests coming from seemingly legitimate agencies, it is difficult for law enforcement and companies to determine if and have been tricked. However, the officials now claim that such methods have been rather common for the past few months. Spokespeople from Facebook, Google and Discord admitted how they had indeed come across such fraudulent requests and have been working with government officials to get to the root of the matter. The main problem lies in the fact that emergency requests do not require a court order that is signed by a judge. However, it is expected that companies would submit limited data to ‘good faith requests by law enforcement.
These attacks normally starts with the perpetrator compromising the mailing system of a foreign law enforcement agency. This is followed by the attacker forging one ’emergency data request’ to a company, requesting such information.