Apple, Facebook Doxxed Users—via Fake Police EDRs

Hackers have been spoofing email from police forces to steal personal data from big tech companies. They’re faking the firms’ “emergency data request” process (EDR).

EDRs are intended for life-and-death situations, where law enforcement can’t get a court order in time. But it seems far too easy for hackers to socially engineer their way to stealing private data from Apple, Meta and others. Some are calling it “terrifying and highly effective.”

And our new “friends” Lapsus$ are involved, apparently. In today’s SB Blogwatch, we mourn the death of privacy.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: EDM Imperial March.

Not a Smart Move

What’s the craic? William Turton and Sarah Frier report—“Apple and Meta Gave User Data to Hackers”:

Recursion Team
Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data … in response to … forged “emergency data requests,” … to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter. … Normally, such requests are only provided with a search warrant or subpoena signed by a judge, [but] emergency requests are intended to be used in cases of imminent danger and don’t require a judge to sign off on it.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the UK and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$. … City of London Police recently arrested seven people in connection with an investigation into … Lapsus$.

Hackers affiliated with a cybercrime group known as “Recursion Team” are believed to be behind some of the forged legal requests. … Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$.

And Nat Rubio-Licht adds—“The hackers used fake emergency requests to obtain data”:

Fraudulent law enforcement requests
It’s not uncommon for law enforcement to request information from social media companies for investigations. Those requests are typically signed by a judge in the U.S., but emergency data requests do not need judge sign-off as they’re used in cases of imminent danger. … It’s not known how many times companies gave data in response to the requests.

Snap also reportedly received a forged information request, but it is unclear if the company responded. … A Snap spokesperson said [it] has safeguards built into its processes to spot fraudulent law enforcement requests, including from hacked accounts.

Let’s climb aboard the Brian Krebs cycle—“Hackers Gaining Power of Subpoena”:

Has been arrested multiple times
There is a terrifying and highly effective “method” … to harvest sensitive customer data. [In] a case involving imminent harm or death, an investigating authority may make [an] EDR, which largely bypasses any official review. … There are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.

Prior to launching LAPSUS$, the group’s leader “White” (a.k.a. “WhiteDoxbin,” “Oklaqq”) was a founding member of a cybercriminal group calling itself the “Recursion Team.” … The founder of the Recursion Team, [using] the handle “Everlynn,” [is thought to be] a 15-year-old from the United Kingdom who has used a variety of monikers over the past year alone, including “Miku” and “Anitsu,” [and] has been arrested multiple times for issuing fake EDRs.

Yikes, what a mess. But this whole EDR thing sounds really fishy. Joseph Bland explains:

It takes time to get a court order. Obviously, it would need to be:
a) worth setting aside normal processes for (an imminent terrorist incident, etcetera) and
b) would need a vetted signoff.

If someone went to extremes to fake (b) in order to get basic subscriber details, such as a customer’s address, phone number and IP address, then that customer’s basic info had better be worth it.

However, as rsilvergun points out, the time it takes ain’t much:

If you have a life or death situation, you can get a subpoena within minutes. … Judges are on call at all times. … There was never any need for [EDRs].

Or just verify the request? Hal is sorry, but he can’t do that:

What about … verification? Are these EDRs so frequent that someone  … can’t pick up a phone?

It’s worrying that Apple fell for this. BootsWalking concludes thuswise:

Hopefully the final nail in the coffin for Apple thinking anyone will trust their competence and execution for the proposed CSAM child pornography reporting tool.

Wait. Pause. Is “hacker” the right word? NateFromMich thinks language is a virus:

Hackers? Are you a “hacker” if you ask nicely for access and they give it to you? This must be like one of those “life hacks.”

Meanwhile, The Sunshine State remembers WarGames:

David Lightman … showed us first the true art of social engineering, Maybe those teenage boys in England should have just stuck to playing a nice game of chess.

And Finally:

Excessive ducking is excessive

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Guillaume “crash71100” Vachey (public domain)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi