Skip links

Facebook locks out 1,500 fake accounts used by cyber-spy firms to snoop on people, alerts 50k potential targets

Facebook successor Meta on Thursday said it canceled 1,500 social media accounts used by seven surveillance-for-hire firms to conduct online attacks against government critics and members of civil society.

These accounts were primarily used to observe targets and lure them into visiting malicious websites, or receiving booby-trapped messages, typically, that compromise their devices and online profiles. Tens of thousands of people potentially targeted by these groups have been privately alerted by Facebook.

“The global surveillance-for-hire industry targets people to collect intelligence, manipulate and compromise their devices and accounts across the internet,” said David Agranovich, director, threat disruption and Mike Dvilyanski, head of cyber espionage Investigations, in a blog post.

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.”

While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate

Agranovich and Dvilyanski said that while Israel-based NSO Group, maker of the Pegasus spyware, has received widespread attention from both the private and public sector for facilitating state-backed surveillance, there’s a broader global cyber mercenary industry.

That industry has recently attracted the attention of lawmakers, after WhatsApp got the ball rolling with its October 2019 lawsuit against NSO Group for allegedly helping snoop on its customers. Microsoft spoke out against cyber-mercenaries in 2020 and Apple decided to take action with its own lawsuit against NSO Group last month.

On Wednesday, 18 US Democratic lawmakers asked that NSO Group, UAE-based DarkMatter Group, and EU-based Nexa Technologies and Trovicor face sanctions under the Global Magnitsky Act for enabling human rights abuses. And earlier this month, 81 civil society groups asked EU lawmakers to punish NSO Group for facilitating human rights abuses.

NSO group has consistently insisted it sells its software only to prevent terror and crime and after that does not operate its software – a claim disputed in lawsuits against the spyware maker.

In an email to The Register in response to US lawmakers seeking tough sanctions against the biz, a spokesperson insisted the developer welcomes regulation.

“NSO has been advocating for international regulation of the industry, to make sure critical technologies that saves lives, like we develop, cannot be misused by various governments,” a spokesperson said. “While we are already implementing our unique compliance policy, we are committed to take part of any push for further regulations and restrictions.”

Meta can’t mete out punishment as serious as government sanctions. Instead, it closed hundreds of accounts on its Facebook and Instagram services for community standards and terms-of-service violations, and banned those responsible from its services. It also shared its findings with other platforms and researchers, and blocked spoof domains.

The accounts at issue were used to conduct reconnaissance; to engage with targets (for the sake of gaining trust and social engineering); and to compromise targets’ other online accounts via phishing or hijack their devices via security vulnerability exploits. The bogus accounts were said to be operated by Cobweb Technologies (200 accounts), Cognyte (100), Black Cube (300), Bluehawk CI (100), BellTroX (400), Cytrox (300), and an unknown entity in China (100).

Meta also said it has alerted about 50,000 people who it believes were targeted by these surveillance-for-hire entities.

Fakes news

Mind you, Facebook, like other social media services, for years has been unable to prevent people from registering fake accounts. Between October and December of 2020, Facebook in March said it disabled more than 1.3bn of them. There’s no reason to believe these firms will be unable to recreate new fake accounts given the sophistication of their cyber operations.

In a report on Meta’s account purge [PDF], Agranovich, Dvilyanski, and Nathaniel Gleicher, head of security policy, acknowledge as much but sound hopeful their Whac-a-Mole game against these firms will get easier.

“The entities behind these surveillance operations are persistent, and we expect them to evolve their tactics,” their report says. “However, our detection systems and threat investigators, as well as other teams in the broader security community keep improving to make it harder for them to remain undetected.”

The entities behind these surveillance operations are persistent, and we expect them to evolve their tactics

Citizen Lab, a cybersecurity research group out of the University of Toronto in Canada, on Thursday published a report involving one of these firms, Cytrox, which makes spyware called Predator.

The research group said two Egyptians – exiled politician Ayman Nour and the host of a popular news program who asked to remain unidentified – were hacked in June 2021 with Cytrox’s Predator spyware.

Nour was targeted by two different clients of an entity suspected of being the Egyptian government. His iPhone, running the then-current iOS 14.6, was compromised by both Predator and NSO Group’s Pegasus via single-click or zero-click links sent from WhatsApp. The Pegasus attack utilized NSO Group’s FORCEDENTRY exploit (CVE-2021-30860). The entry exploit used by the Predator spyware, believed to be a zero-day vulnerability, isn’t disclosed; device compromise appears to have involved links in images delivered via WhatsApp.

Citizen Lab said it has disclosed the forensic data from its investigation to Apple and Meta, which owns WhatsApp, and noted Meta’s enforcement action against social media accounts associated with Cytrox.

Meta says it has identified Cytrox customers in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, the Philippines, and Germany, and that the firm has provided services to a threat actor known to security firms as Sphinx.

Citizen Lab said mercenary spyware firms can be expected to continue meeting the needs of autocratic governments until national and international rules disallow such services.

“Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future,” the group said. ®