Meta Warns 50,000 Users Targeted By Surveillance Firms

Meta has warned 50,000 Facebook users that they may have been spied on by surveillance-for-hire firms.

The social networking giant issued the chilling warning in a blog post on Thursday, by David Agranovich, director of threat disruption, and Mike Dvilyanski, head of cyber espionage investigations at Meta.

Meta said the global surveillance-for-hire industry targets people of interest, in order to collect intelligence, manipulate and compromise their devices and accounts across the internet.

Surveillance specialists

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists,” blogged Meta.

It pointed to the Pegasus spyware scandal, which has seen NSO this week saying it is considering selling or closing down its Pegasus division.

NSO is currently being sued by Meta, after WhatsApp in 2019 alleged NSO was behind the cyberattack that infected devices with ‘advanced surveillance hacks.’

In its blog, Meta said that NSO is only one piece of a much broader global cyber mercenary industry.

“The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts,” said the blog. “These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable.”

Three stages

Meta said that it had observed three phases of targeting activity by these commercial players that make up their “surveillance chain”: Reconnaissance, Engagement and Exploitation.

1. Reconnaissance: This stage is typically the least visible to the targets, who are silently profiled by cyber mercenaries on behalf of their clients, often using software to automate data collection from across the internet. These providers pull information from all available online records such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums and “dark web” sites.
2. Engagement: This phase is typically the most visible to its targets and critical to spot to prevent compromise. It is aimed at establishing contact with the targets or people close to them in an effort to build trust, solicit information and trick them into clicking on malicious links or files.
3. Exploitation: The final stage manifests as what’s commonly known as “hacking for hire.” Providers may create phishing domains designed to trick people into giving away their credentials to sensitive accounts like email, social media, financial services, and corporate networks or click on malicious links to compromise people’s devices.

Journalists, activists targetted

“Although public debate has mainly focused on the exploitation phase, it’s critical to disrupt the entire lifecycle of the attack because the earlier stages enable the later ones,” wrote Meta. “As a result of our months-long investigation, we took action against seven different surveillance-for-hire entities.”

“They provided services across all three phases of the surveillance chain to indiscriminately target people in over 100 countries on behalf of their clients,” wrote Meta. “These providers are based in China, Israel, India, and North Macedonia.”

Action was taken against Cobwebs Technologies, Cognyte, Black Cube, Blue Hawk CI, BellTroX, Cytrox and an unknown Chinese entity.

Four of them are located in Israel, one is in India, one is in North Macedonia, and the other is in China.

Meta said the “surveillance-for-hire” entities we removed violated multiple Community Standards and Terms of Service.

The companies targeted people including journalists and human rights activists in over 100 countries on behalf of their clients, Meta said, adding that they created fake accounts, befriended targets and used hacking methods to acquire information.

“Given the severity of their violations, we have banned them from our services,” said Meta. “To help disrupt these activities, we blocked related internet infrastructure and issued Cease and Desist letters, putting them on notice that their targeting of people has no place on our platform. We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action.”

Meta said it has alerted around 50,000 people who it believes were targeted by these malicious activities worldwide, using the system it launched in 2015.