- Cybercriminals pose as law enforcement officials to trick tech companies into handing over user data.
- Tactics include typos in police emails and official inboxes that have been compromised by BEC.
- Tech companies now rely on verified portals for data requests to reduce fraudulent disclosures
While most data breaches occur due to software vulnerabilities and fake login credentials, large technology companies sometimes voluntarily hand over their customers’ personal data to authorities.
Of course, they don’t know that the “law enforcement” they’re sharing data with are actually cybercriminals looking for material for their fraud and identity theft.
Wired reports that some cybercriminals are taking advantage of the fact that large tech companies like Apple are legally required to share certain data with authorities under certain conditions and through certain channels.
Google employees against war
Sometimes law enforcement investigates a crime or national security issue and asks Apple, Google, Facebook, or other companies to share information about specific people. Because these companies hold a large amount of user data and often have extensive customer profiles, this information can prove invaluable during an investigation.
In other cases, the police are responding to a crisis that could cause immediate harm and make an urgent request for data.
Cybercriminals know this and attack these companies in various ways to get their data. One way to do this is by using typos: creating websites and email addresses that look identical to official police addresses, except that they contain only one letter or character.
They then send carefully worded emails that are almost indistinguishable from legitimate police correspondence, hoping that the recipient won’t notice the difference and will eventually pass on the information.
Another way to achieve this is to use Business Email Compromise (BEC), which first compromises the inboxes of affected agents and officials and uses their emails instead.
Although this approach is more difficult to implement, it works better because the legitimacy of the requests is significantly higher.
The good news is that most large technology companies have data request forms, which are then carefully reviewed and verified.