The News: The Apple Meta hack is the latest cyberattack in the news. Apple and Meta employees accidentally handed over sensitive data to hackers leveraging social engineering techniques and pretending to be law enforcement. The incident occurred in mid-2021 and provided information such as users’ IP addresses, phone numbers, and home addresses. Read the full story here.
The Apple Meta Hack — Breaking Down How It Happened and Exploring Some of the Cybersecurity Dangers Ahead
Analyst Take: The Apple Meta hack is a social engineering hack and is unfortunate — and yet it’s also more commonplace than people realize. In many cases, we tend to think we are unimportant enough to be the target of a hack, but if that’s your logic, open up the cupboard and take two doses of reality. You’re a target, I’m a target, everyone’s a target. But hackers love it when people mistakenly think they’re immune to being targeted. Remember, hackers and other groups are after something, and that something is data and information. Whether it’s an economic espionage attempt angling for company secrets, a ransomware attack, or a hack intended to gain access to users’ personally identifiable information, there are different attack vectors for each scenario.
Everything Seems Benign – But It’s Not
From a corporate standpoint, all of us are likely more connected and have access to more information inside the organization than we realize and our tracks are everywhere — ready for threat actors to pick up. Are you on social media a lot posting videos with your team at work, @mentioning them, and giving a glimpse into the dynamics of the team and special projects you’re working on? Are you adding things on your LinkedIn profile or that resume on Monster.com such as key customers, key projects, divisional revenue, your cell phone number, private e-mail address, and more? Are you on social media and showing what your likes and dislikes are? How about places you’ve visited, your birthday, the city you live in, and the vacations you take? Then there are those “fun” Facebook quizzes, developed by threat actors and designed to get people to divulge things like the year they graduated from high school, their mothers’ maiden names, and the street they grew up on — all cleverly designed to get users to divulge personal information that can be used to perpetuate a hack. Hackers are looking for anything and everything they can use to develop solid knowledge of the organization so it can be used in a phone conversation or in an e-mail to develop rapport with you.
Think I’m being overly pessimistic? Here are some examples as food for thought. Imagine you just started a new firm in a key division (the attacker is after) and posted your new position on LinkedIn. Chances are a hacker might already have knowledge of the company and will call or email you (they have the company email naming convention @yourorg.com) saying that a higher-level vice president or client needs a piece of information and without thinking, you give it to them because you don’t want to get in trouble in this new job. Or, maybe they see that post about the fact that you just finished graduate school and you might get a tailored email phishing campaign with your school alumni association looking for donations or a notice from your loan servicer. Here’s one that we experienced just this last week. Numerous members of our team were targeted in a SMSishing campaign, receiving text messages from an unfamiliar number that were designed to look as though they were coming from one of the founders of our firm. Clever, yes. Successful, no.
And while this SMSishing attempt wasn’t successful, there are many that are. A common theme in attacks like this is a rogue sender asking the recipient to buy gift cards due to some emergency where they personally don’t have time to do it and providing a malicious link to make it easy for the target to make those purchases.
Attacks can come from all vectors these days, including endpoints, malicious links shared by way of email, text, social media, hacks designed to harvest PII data that can later be used in attacks, and so much more.
Why the Apple Meta Hack is So Concerning
The reason we find the Apple Meta hack alarming is that as mentioned earlier, requests from law enforcement officials to social media platforms are not at all uncommon. However in order to make those requests, hackers must first infiltrate the email systems of whatever law enforcement agency they are targeting. As we’ve covered here before, there are many government email addresses available online. We covered the leak of a 100GB data set reported in May of last year, which obtained some 3.2 billion leaked passwords from 2.18 million unique emails. This data set included a whopping 1.5 million world government emails and somewhere in the neighborhood of 625,000 U.S. government passwords. By any measure, that’s a lot of email addresses and a lot of password access to those emails.
Brian Krebs of Krebs on Security reported on these “fake emergency data requests” and indicated these Apple Meta hackers are suspected to be teenagers who are randomly targeting police email accounts to perpetuate these hacks. The recent LAPSUS$ hack that targeted Microsoft, Okta, NVIDIA, Samsung, and Vodafone was suspected to have been masterminded by a UK-based teenager, aided by other intrepid teens. The BBC reported last week reported that City of London Police arrested seven young people between the ages of 16 and 21 in connection to the LAPSUS$ hack. Krebs reported that the LAPSUS$ Telegram channel boasts some 45,000 subscribers and features ads offering to recruit corporate insiders along with posts offering for sale a warrant/subpoena service that would allow hackers to get law enforcement data from any service for a whopping $100 to $250 per request.
The Apple Meta hack should be of concern as it provided customer data including phone numbers, addresses, and IP addresses, which are easily used by threat actors to bypass account security, collect data, and execute campaigns against the likes of you and me — and any of our connections on social platforms or email contacts and beyond. It is believed there’s a chance that Snap, Inc., the parent company of the popular social media platform Snapchat, also received a forged request from this same group of hackers, but it’s not known whether Snap delivered any customer data.
More Reason to be Concerned about the Apple Meta Hack — Don’t Forget the Very Real Dangers of Deep Fakes
There’s another concern as it relates to the Apple Meta hack and that relates to deep fakes. Deep fake images and videos are created by computers using machine learning technology to make them seem real, even though they aren’t. Deep fake images aren’t something we have to worry about in the future – they are something we need to worry about today. For instance, deep fake images are being used by companies on LinkedIn to game the LinkedIn system, both by sales reps as well as by marketing teams. NPR recently reported on a study by Stanford Internet Observatory identified over 1,000 deep fake profiles on LinkedIn belonging to more than 70 companies. And we’re reasonably confident that number barely scratches the surface. LinkedIn has reportedly removed more than 15 million accounts that included AI-generate profile images, and the problem is likely in only the nascent stages.
And the problem of deep fakes as it relates to video likewise poses serious problems as technology continues to improve. This will make it easier for hackers to leverage both your image and your voice in the future. This can be troublesome in myriad ways. As organizations continue to utilize collaboration platforms for communication, virtual events, physician visits, attorney visits and court hearings and beyond, there is inherent risk. Imagine a hacker swiping your image and creating a deep fake video and having a chat with your accountant, attorney, or doctor discussing your personal information.
Wrapping up the Apple Meta Hack
In conclusion, the Apple Meta hack is unfortunate. It’s yet another example of the reality that hacking is a very big, very lucrative business. It’s also a reminder that hackers are going to hack, and it’s largely only a matter of time before all of us personally are affected in some way or another (whether we realize it or not). There’s a very real personal danger, and a very real corporate danger. From a personal standpoint, it’s always a good idea to secure your social media and other accounts using two-factor authentication, and to make sure your passwords are very secure and/or that you use a password manager. From a corporate standpoint, our research indicates that corporate IT teams who use dashboards and can monitor activity in real time across their networks are better positioned to protect their organizations against unauthorized access than those who do not. It’s also important to conduct regular and ongoing cybersecurity training, as well as to conduct phishing, SMSishing and other kinds of test attacks internally so as to identify where there are weak points within the organization and where additional security and training might be needed.
We’ll close with one reminder: the question today is not “will I be hacked” but instead “when will the inevitable hack occur and how am I protecting myself and/or my organization from the risks associated with that hack.” For a deeper dive on the level and type of threats enterprises encounter and the measures, practices, and policies enterprises employ to address these threats throughout the security journey, check out this research report we did in partnership with Dell, which was informed by the opinions of 1,000 high level technology and security executives directly involved in the security planning, implementation, management, or operations. You’ll find the research report here: Four Keys to Navigating the Hardware Security Journey.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.