Spyware developer disguised as Facebook to help customers
Israeli spyware developer NSO Group ran a web domain disguised as a Facebook security team site to trick users into clicking on malicious links and installing cell phone hacking software.
A former NSO Group employee provided Motherboard with the IP address of a server that was used to infect phones with Pegasus malware. Once on an infected device, Pegasus is able to collect credentials for access to the cloud services Google Drive, Facebook Messenger and iCloud. A spyware program can carry out all operations without “initiating two-factor authentication or displaying an unauthorized access notification”.
According to the publication, this IP address was associated with 10 domains during 2015 and 2016. Some of them were designed to seem harmless to the user. For example, they are disguised as resources that supposedly allow you to unsubscribe from sending emails or text messages. Other domains were impersonating Facebook’s security team site and FedEx package tracking resources.
At the end of 2016, MarkMonitor, a search engine for malicious domains, acquired a site disguised as Facebook and, two months later, transferred control to Facebook so that attackers could not abuse it.