An investigation traces an NSO Group-controlled IP address to a fake Facebook security portal.
According to an investigative journalist team, the Israeli authors of the infamous Pegasus mobile spyware, NSO Group, have been using a spoofed Facebook login page, crafted to look like an internal Facebook security team portal, to lure victims in.
The news comes as Facebook alleges that NSO Group has been using U.S.-based infrastructure to launch espionage attacks. Both issues are relevant to Facebook’s quest to hold NSO accountable under U.S. laws (specifically the Computer Fraud and Abuse Act) for a spate of WhatsApp hacks that came to light last year.
Pegasus, which infects both Android and Apple smartphones, contains a host of spy features. After scanning the target’s device, it installs the necessary modules to read the user’s messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history and contacts and carry out other surveillance tasks as needed. It’s widely believed to have been involved in spying on murdered Saudi dissident Jamal Khashoggi, journalists investigating cartel activity in Mexico and more.
“A former NSO employee provided Motherboard with the IP address of a server setup to infect phones with NSO’s Pegasus hacking tool,” according to a Motherboard investigative report this week. “The IP address provided to Motherboard related to a one-click installation of Pegasus, the former employee said.”
Motherboard’s investigation, partnering with DomainTools and RiskIQ, involved a review of passive domain name server (DNS) records to uncover where the IP address controlled by NSO Group resolved to.
“Throughout 2015 and 2016, the IP address resolved to 10 domains,” the team wrote, one of which impersonated Facebook’s security team. The others were designed to appear as innocuous unsubscribe links, and others were crafted to look like package-tracking links from FedEx.
“Mobile devices are designed for accessibility, convenience and speed – extra security gets in the way of those benefits,” Colin Bastable, CEO of Lucy Security, told Threatpost. “Facebook’s brand property makes it ideal for exploitation by hackers, and in this case the use of a site designed to emulate the Facebook security team is especially adroit.”
Meanwhile, Facebook is in the process of suing the NSO Group over its alleged use of a zero-day exploit for Facebook-owned WhatsApp. In May 2019, a zero-day vulnerability was found in WhatsApp’s messaging platform, exploited by attackers who were able to inject the Pegasus spyware onto victims’ phones in targeted campaigns.
The lawsuit alleges that NSO Group used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices. CitizenLab, which assisted Facebook’s investigation into the issue, said that it identified over 100 cases of abusive targeting of human-rights defenders and journalists in at least 20 countries across the globe stemming from NSO Group’s spyware.
Facebook also claims to have evidence that NSO Group launched some of its WhatsApp hacks last year from cloud infrastructure hosted in the U.S.: Court documents filed by Facebook in April detailing alleged specific U.S. IP addresses used by NSO Group, hosted by California-based QuadraNet as well as Amazon.
#cloud security #facebook #hacks #web security #security team portal #security
