An investigation by a journalist team has uncovered an attack plot against users by bad actors mimicking a Facebook login page. Specifically, the method is being employed by NSO Group, an Israeli band of hackers who are best known as the creators of the Pegasus mobile spyware.
Like other phishing expeditions, the scam is focused on fooling unwitting users into interacting with a link filled with malware. In this case, NSO Group has created a page that looks like a legitimate internal page from Facebook security team portal.
It is worth noting Facebook has been targeting NSO and attempting to get the group before U.S. law courts. The company says the hacking team has leveraged U.S. systems to spy.
Facebook is suing NSO Group for a zero-day exploit it perpetrated on its WhatsApp service a year ago. The Pegasus spyware was installed on the service to attack users. Facebook says the hackers accessed vulnerable WhatsApp servers and infected around 1,400 smartphones.
It has been repurposed several times and it seems the tool is behind the recently discovered campaign. Pegasus can be installed on an array of devices, including most iOS and Android smartphones.
It is worth noting NSO Group has continued to plead innocence and claims it has not part in nefarious spying. Instead, the company insists it provides legitimate tools for governments to use.
“Revisiting and recycling the conjecture of NSO's detractors, such as CitizenLab, doesn't change the overall truth of our position, which we have stated to the U.S. Federal Court in California,” an NSO spokesperson told Motherboard. “Our factual assertions have been provided as part of the official court record, and we do not have anything else to add at this time.”