Tech giants duped into giving up data for offences including harassment of minors

NEW YORK (BLOOMBERG) - Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.

The firms that have complied with the bogus requests include Meta Platforms, Apple, Alphabet's Google, Snap, Twitter and Discord, according to three of the sources. All of the sources requested anonymity to speak frankly about the devious new brand of online crime that involves underage victims.

The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse, according to the sources.

The tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but also to extort and harass innocent victims.

It is particularly unsettling since the attackers are successfully impersonating law enforcement officers. The tactic is impossible for victims to protect against, as the best way to avoid it would be to not have an account on the targeted service, according to the sources.

It is not clear how often the fraudulent data requests have been used to sexually extort minors. Law enforcement and the technology companies are still trying to assess the scope of the problem. Since the requests appear to come from legitimate police agencies, it is difficult for companies to know when they have been tricked into giving out user data, the sources said.

Nonetheless, the law enforcement officials and investigators said it appears that the method has become more prevalent in recent months. "I know that emergency data requests get used in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children," said Mr Alex Stamos, a former chief security officer at Facebook who now works as a consultant.

"Police departments are going to have to focus on preventing account compromises with multi-

factor authentication and better analysis of user behaviour, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers."

A Google spokesman said, "In 2021, we uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials. We quickly identified an individual who appeared to be responsible and notified law enforcement. We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests."

Facebook workers review every data request for "legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse", a spokesman said.

Similarly, Ms Rachel Racusen, a Snap spokesman, said the company carefully reviews each request it gets from law enforcement "to ensure its validity and have multiple safeguards in place to detect fraudulent requests".

A Discord spokesman said the messaging platform validates all emergency requests. Twitter and Apple declined to comment.

Emergency requests typically do not include a court order signed by a judge, so firms are usually under no legal obligation to provide data. But it is a generally accepted practice that companies will turn over limited data in response to "good faith" requests by law enforcement involving imminent danger.

In March, Bloomberg News reported that Apple and Meta, the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials. At the time, three people familiar with the matter said the fake requests appeared to be primarily used for financial fraud schemes.

The exact method of the attacks varies, but they tend to follow a general pattern, according to the law enforcement officers. It starts with the perpetrator compromising the e-mail system of a foreign law enforcement agency.

Then, the attacker will forge an "emergency data request" to a tech company, seeking information about a user's account, the officers said. Such requests are used by law enforcement to obtain information about online accounts in cases involving imminent danger such as suicide, murder or abduction.

In return, the companies provide the attacker with basic subscriber information - the same data provided to law enforcement in response to a court-ordered subpoena, said law enforcement officials and people familiar with the legal processes.

The data provided varies by companies, but generally includes the name, IP address, e-mail address and physical address. Some companies provide more data.

Though seemingly innocuous, such personal data in the wrong hands can be weaponised. The attackers have used the information to hack into victim's online accounts or to befriend the women and minors before encouraging them to provide sexually explicit photos, according to the sources.

Many of the perpetrators are believed to be teenagers themselves based in the United States and abroad, according to four of the sources. If the victims do not comply with the demands, the attackers have used several harassment techniques to retaliate, the sources said.

One technique that has been deployed is called "swatting", where perpetrators call in a fake threat to a local 911 dispatcher in order to generate a law enforcement response to the address of their target. In multiple instances, underage girls have been swatted at their homes and schools, the federal law enforcement officials said.

Another approach, called doxxing, involves publishing the detailed personal information, including phone numbers and physical addresses of victims and their family members, online. The information, which is sometimes obtained in part by fraudulent legal requests, is usually posted on sites dedicated to doxxing, which essentially serves as an open invite for other people on the site to harass the victims.

In addition, perpetrators have threatened to send sexually explicit material provided by the victims to their friends, family members and school administrators if they do not comply with the demands, according to the sources. In a few instances, the victims have been pressured to carve the perpetrator's name into their skin and share photographs of it, according to the law enforcement officials and online chat transcripts reviewed by Bloomberg.

The problem of forged legal requests is prompting companies to think of new ways to verify legitimate legal requests, according to a dozen people who are familiar with the matter.

"Fraudulent emergency data requests abuse the 'good faith' basis of imminent harm, but fraudsters have also been known to spoof legitimate legal processes such as subpoenas and search warrants by counterfeiting a judge's signature," said Mr Matt Donahue, founder of Kodex, which creates software for companies to manage legal requests.

In a statement last month, US Senator Ron Wyden, a Democrat from Oregon, said he was requesting information from technology companies about the practice of forged legal requests.

"I'm particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals," he said.

"No one wants tech companies to refuse legitimate emergency requests when someone's safety is at stake, but the current system has clear weaknesses that need to be addressed."

Ms Allison Nixon, chief research officer at cyber-security firm Unit 221b, said the threat from underage perpetrators should be prioritised by the computer security industry and law enforcement.

"We are now witnessing their transition to organised crime, and all the real-world violence and sexual abuse that comes with it," Ms Nixon said, adding that juvenile hackers are causing serious harm, so "we need to start treating them like adults".