the tech companies Goalarray of Facebookand Manzana they would have provided information about their users to cybercriminals who pretended to be the Police, according to Bloomberg in a recent publication.
As three people investigating the facts have advanced to this medium, both companies provided basic details of their users, such as addresses, telephone numbers or IP addresses, in the middle of last year, after receiving supposedly legal emergency requests.
Law enforcement routinely asks platforms and social networks for information about users, as part of criminal investigations. In the United States, the country of origin and center of operations of both companies, these requests most often include an order signed by the competent authority, in this case, a judge.
Although companies only provide this information with a search warrant or subpoena signed by a judge in advance, emergency applications do not have these requirements, since they are intended to be used in cases of emergency. imminent danger.
Manzanafor its part, has contacted Bloomberg to clarify the case and has sent it a section of its user data protection guidelines.
They state that the government supervisor or law enforcement officer who urged the company to hand over that information “can be contacted” and would be asked for confirmation to determine that the emergency request “was legitimate,” according to these documents. .
Meanwhile, the spokesman for GoalAndy Stone, has pointed out that the company has an exhaustive security system with respect to this type of request, to keep the information of its users safe.
“We review each data request for legal sufficiency and use our advanced systems to validate law enforcement requests and detect abuse,” the spokesperson said.
In addition, he explained that Meta blocks accounts that have been identified as dangerous so that they do not issue these requests and that they work with the security forces to respond to incidents related to allegedly fraudulent requests.
However, on its own website it specifies that “depending on the circumstances” the company may voluntarily disclose information to security forces when it has reason to believe that the matter “involves an imminent risk of serious physical injury or death.”
In addition to Manzana and Goalas noted by Bloomberg, Snapchat would have also received a request apparently legal by this group of cybercriminals, but it is unknown if it provided the required data.
For its part, the website Krebs on Security reported that the hackers would have also targeted the Discord platform. This later confirmed to Bloomberg that they also received a request of these characteristics.
“We verify these requests by verifying that they come from a legitimate source and we did so in this case,” the Discord company said in a statement.
“Although our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor,” he explained, adding that he had already reported the case to the police.
Various application systems
Depending on the company or business in question, the procedure for making these urgent requests has certain differences.
Companies like Meta and Snapchat work from their own portals for law enforcement to submit legal requests, but they also accept email requests.
In addition, they monitor requests on an uninterrupted basis, according to the director of the cybersecurity company Recorded Future Inc. and former head of the cyber program at the Department of Homeland Security, Jared Der-Yeghiayan.
Instead, Apple accepts urgent lawful data requests through an apple.com email address.
Possible connections with LAPSUS$
According to investigations, cybercriminals associated with a group known as the Recursion Team are believed to be involved in these fakes and began submitting the requests throughout 2021.
Specifically, the mass sending of these requests began in January of last year and it is believed that they were sent through fraudulent email domains belonging to police organizations in various countries.
To provide a legitimate appearance, the cybercriminals included false signatures of real agents and other fictitious ones in these documents, as confirmed by two of these witnesses.
Instead, the third party told Bloomberg that by compromising law enforcement email systems, fraudsters could have found legitimate legal requests and used them as templates to replicate fake ones.
Although the Recursion Team is currently inactive, the researchers suspect that some of those involved in sending these bogus requests might have connections to LAPSUS$.
This group of hackers, in which teenagers participate and whose intellectual author resides in England, has recently been attributed the theft of information and credentials of other large technology companies, such as Samsung, Nvidia, Okta or microsoft.