Controversial Israeli surveillance firm NSO Group has been accused of creating a web domain designed to look like it belonged to Facebook's security team. Victims are tricked into clicking on links that would install a phone-hacking system.
According to Vice's Motherboard, a former NSO worker has revealed the IP address of a server setup to infect phones with the security firm's hacking tool called Pegasus. (Motherboard refused to reveal the identity of the NSO employee)
Pegasus can be installed in Android and iPhone devices, which can steal social media messages and texts, remotely turn on one's microphone and camera, and track the GPS location of the user.
Hackers have been known to target Facebook through the years, often impersonating the social media network and creating phishing pages to emulate its login page and get a hold of the victim's password. But this recent move by NSO has complicated its ongoing conflict with the social media giant all the more.
The Israeli company is currently embroiled in a lawsuit with Facebook, which is being sued for exploiting the vulnerability in WhatsApp to allow NSO clients to hack phones remotely. Motherboard also reported that NSO used infrastructure based in the United States; a server used by NSO's system to deliver malware was owned by Amazon.
Pegasus is being sold in either 0- or 1-click versions. 0-click installation doesn't need any interaction from the target, while 1-click requires the target to click a link. The IP address given to the publication was the 1-click version of Pegasus, according to the leaker.
Motherboard investigated multiple databases from cybersecurity services RiskIQ and DomainTools, which show what web domain an IP address related to at different points in time. It was found that the IP address resolved to 10 domains throughout 2015 and 2016.
Some of the domains appear harmless at all, often in the form of a link that will allow a user to unsubscribe to a particular service. Others, meanwhile, copied package tracking links from FedEx and Facebook's security team.
But NSO fiercely denies that it has ever used its products itself.
"We stand by our previous statements that NSO Group products cannot be used to conduct cyber-surveillance within the United States, and no customer has ever been granted technology that enables targeting phones with US numbers," a spokesman said.
Facebook told the BBC it had gained ownership of the domain in question four years ago, to stop it being misused.