Apple tricked into releasing personal data used to sexually extort minors
We learned last month that Apple was tricked into releasing personal data to hackers, after they posed as law enforcement officials with emergency data requests. The report also revealed that the data had been used for sexual extortion of minors.
The latest report sheds light on the hacking techniques used to fool Apple, Snap, Twitter and Facebook.
Background
Usually, companies will not release customer information to law enforcement officers until they receive a court order. Even then, the company may carefully review the request and offer to provide only a portion of it.
This process can take time. There is also an emergency data request procedure that may be used when there is a risk to the health or safety of one or more people. In these cases, companies do check that the request comes from a legitimate law enforcement contact, but supply the information first, and ask questions later.
Hackers made fake emergency requests in order to convince Apple and other companies that user data was available. The new report details how data was misappropriated and how companies were tricked.
How Apple was duped
Bloomberg reports that the attack generally relies on being able to use hacking or phishing to gain access to law enforcement email systems, so that the source of the requests appears genuine.
Although the exact methods of attacks vary, they all tend to follow the same pattern according to law enforcement officers. The perpetrator compromises the foreign law enforcement agency’s email system.
The attacker then will create an “emergency request” to a tech company seeking information regarding a user account. Such requests are used by law enforcement to obtain information amount online accounts in cases involving imminent danger such as suicide, murder or abductions […]
The data you provide varies from company to company, but it generally contains your name, address and email address. Some companies provide more data.
Cascade attack used to extort victims
Although the data doesn’t sound like it amounts to much, it does provide enough information to allow further hacks and phishing attacks to be carried out against individual victims. Both perpetrators and victims are reported to include children.
The attackers used this information to hack victim’s accounts online or to make friends with the victims before asking them to send explicit pictures. Many of the perpetrators are believed to be teenagers themselves based in the US and abroad, according to four of the people.
Bloomberg reports that some of the cases were horrifically extreme.
Perpetrators have threatened to send sexually explicit material provided by the victim to their friends, family members and school administrators if they don’t comply with the demands, according to the people. The perpetrators have sometimes been forced to make the victim’s name visible on their skin and take photos
.
9to5Mac’s Take
Fake emergency data requests sent from legal email addresses are a serious problem. Companies can be harmed if they don’t respond. They run the risk that hackers will gain access to personal data if they release it without any additional checks. They may not be able to assist victims in real cases if they wait too long for more detailed checks.
The obvious danger is that this tactic becomes more common. Significant resources need to be put into preventing and detecting this crime, and the punishment needs to reflect the severity of the potential consequences.
Photo: Alexander Krivitskiy/Unsplash