NSO Group Impersonated Facebook to Help Clients Hack Targets - 2020-05-20
Infamous Israeli surveillance firm NSO Group created a web domain that looked as if it belonged to Facebook's security team to entice targets to click on links that would install the company's powerful cell phone hacking technology, according to data analyzed by Motherboard.
It is not uncommon for hackers working for governments to impersonate Facebook, perhaps with a phishing page that displays a Facebook login screen but which secretly steals a target's password. But NSO's approach complicates its ongoing conflict with the tech giant. NSO is currently embroiled in a lawsuit with Facebook, which is suing the surveillance firm for leveraging a vulnerability in WhatsApp to let NSO clients remotely hack phones. Motherboard has also found more evidence that NSO used infrastructure based in the United States; a server used by NSO's system to deliver malware was owned by Amazon.
A former NSO employee provided Motherboard with the IP address of a server setup to infect phones with NSO's Pegasus hacking tool. Motherboard granted the source anonymity to protect them from retaliation from the company. Pegasus can target modern iPhone and Android devices, and once installed on a device it can steal text and social media messages, track the GPS location of the phone, and remotely turn on the camera and microphone. NSO sells Pegasus in either 0- or 1-click versions, with the former needing no interaction from the target, and the latter requiring the target to click a link.