Facebook Blocks Seven Malware Purveyors, Deletes Hundreds Of Accounts, Notifies 50,000 Potential Hacking Targets

from the move-fast-and-break-oppressors dept

Thanks to the ongoing onslaught of negative press involving malware merchants like Israel's NSO Group, tech companies whose devices and platforms have been used to deploy exploits targeting journalists, activists, and religious leaders are punching back. You're a human rights abuser with high-dollar spyware at your disposal? Too bad. Ask for a refund, I guess.

Apple sued NSO Group for targeting iPhone users a few weeks ago. It also began notifying users who were targeted by NSO spyware, potentially nullifying further surveillance efforts by unfriendly nation-states.

But before Apple got in on the anti-NSO action, Facebook sued the company for using WhatsApp to deploy malware. Both lawsuits contain some troubling implications for the CFAA -- something that could pose future problems for researchers who scrape data and security researchers who search for security flaws. The unintended consequences of this litigation have yet to be seen, but it's enough to justify holding your applause until the lawsuits have run their course.

Denying state actors the fruits of their purchased spyware labor is now the name of the game, something that benefits everyone. Facebook (now Meta) has just thrown a decently-sized tech wrench into the malware works of an unknown number of entities.

Facebook has disrupted the operations of seven different spyware-making companies, blocking their Internet infrastructure, sending cease and desist letters, and banning them from its platform.

"As a result of our months-long investigation, we took action against seven different surveillance-for-hire entities to disrupt their ability to use their digital infrastructure to abuse social media platforms and enable surveillance of people across the internet," said Director of Threat Disruption David Agranovich and Head of Cyber Espionage Investigations Mike Dvilyanski.

"These surveillance providers are based in China, Israel, India, and North Macedonia. They targeted people in over 100 countries around the world on behalf of their clients."

Seven companies. 100 countries. 1,500 Facebook and Instagram accounts. 50,000 potential targets notified. That's going to hurt paying customers of companies like NSO Group and its competition, most of which have yet to obtain the international infamy NSO has.

The full report [PDF] from Meta lists the companies ejected in this surveillance-for-hire purge. And there's a common strain running through the list, one that's going to cause even more problems for a government already dealing with blowback for running interference for a company selling spy tools to a long list of human rights violators.

We removed about 200 accounts which were operated by Cobwebs [Technologies] and its customers worldwide. This firm was founded in Israel with offices in the United States and sells access to its platform that enables reconnaissance across the internet, including Facebook, Instagram, WhatsApp, Twitter, Flickr, public websites and “dark web” sites.

[...]

We removed about 100 accounts on Facebook and Instagram which were linked to Cognyte (formerly known as WebintPro) and its customers. This firm is based in Israel and sells access to its platform which enables managing fake accounts across social media platforms including Facebook, Instagram, Twitter, YouTube, and VKontakte (VK), and other websites to social-engineer people and collect data.

[...]

We removed about 300 Facebook and Instagram accounts linked to Black Cube, an Israeli-based firm with offices in the UK, Israel and Spain. It provides surveillance services that include social engineering and intelligence gathering.

[...]

We removed about 100 Facebook accounts linked to Bluehawk, a firm based in Israel with offices in the UK and the US. We collaborated on this investigation with The Daily Beast who had identified a subset of this activity leading us to uncover the full cluster and who’s behind it earlier this year.

[...]

We removed about 400 Facebook accounts, the vast majority of which were inactive for years, linked to BellTroX and used for reconnaissance, social engineering and to send malicious links. BellTroX is based in India and sells what’s known as “hacking for hire” services…

[...]

We removed about 300 accounts on Facebook and Instagram linked to Cytrox. This North Macedonian company develops exploits and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices…

[...]

We removed about 100 Facebook and Instagram accounts linked to an unidentified entity in China responsible for developing surveillanceware for Android, iOS, Windows, and also Linux, Mac OS X, and Solaris operating systems. It also engaged in reconnaissance and social engineering activity before delivering malicious payload to its targets.

Four of the seven entities identified and blocked call Israel home. Cytrox also has links to Israel as both Citizen Lab and the Times of Israel have reported. Cytrox is now part of a spyware conglomerate that has been criminally charged for human rights violations.

Israel has a malware problem. And the government can't claim it was unaware of these companies and their selling of tools to authoritarians and human rights violators. The government was actively involved in brokering some of these deals.

The customers for these products, however, are far more varied. Cobwebs products were observed "frequently targeting" activists and opposition parties in Hong Kong and Mexico. But its customer base includes entities in Bangladesh, New Zealand, Poland, Saudi Arabia, and… the United States.

The list compiled by Meta shows malware firms are more than happy to sell to governments that like targeting critics and opponents, rather than criminals and terrorists. Serbia, Morocco, Mexico, China, Qatar, Saudi Arabia, Egypt, Oman, the Philippines, and Myanmar make this list.

But it's not just the blocking. It's the notification. And there's plenty of that.

We also alerted around 50,000 people who we believe were targeted by these malicious activities worldwide, using the alert system we launched in 2015. We recently updated it to provide people with more granular details about the types of targeting and the actor behind it so they can take steps to protect their accounts, depending on the phase of the surveillance attack chain we detect in each case.

That's a lot of disrupted surveillance efforts. State actors are paying good money for these exploits and now they're facing more resistance than ever from the private sector being used to transport malware to targets. That's a lot of money and a lot of surveillance being undone. Governments buying exploits won't be happy but so what. There's no reason to assume that just because it's a government agency doing the targeting there's any legitimacy to the hacking efforts. This is the way it should be -- platforms and device makers protecting customers and users against hacking attempts, no matter the origin of the attacks. The world needs more of this because authoritarians and human rights abusers deserve to have their oppressive efforts thwarted.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacking, malware, surveillance
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 21 Dec 2021 @ 10:12am

    Yet another example of section 230 letting Facebook get away with censorship!
    /s

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 21 Dec 2021 @ 11:05am

    I'm very disappointed not to have received a notice that NSOs clients were spying on me. I stick it to the man too!

    link to this | view in thread ]

  3. icon
    That One Guy (profile), 21 Dec 2021 @ 4:04pm

    What a pleasant day

    Nothing like knowing a terrible person/company's week was just ruined to make yours better.

    link to this | view in thread ]

  4. icon
    That Anonymous Coward (profile), 21 Dec 2021 @ 7:49pm

    Re: What a pleasant day

    I'm confused which side I am supposed to root for.

    link to this | view in thread ]

  5. icon
    That One Guy (profile), 22 Dec 2021 @ 3:17am

    Re: Re: What a pleasant day

    Facebook seems to be ruining the day/week/month of a bunch of terrible companies without engaging in any notable terrible behavior of their own so at the moment at least they would seem to be acting on the side of good. Give 'em a day or so though and I'm sure they'll faceplant and give people another reason to rake them over the coals.

    link to this | view in thread ]

  6. identicon
    Random Troll, 22 Dec 2021 @ 10:30am

    Facebook

    'Bout time FB did something at least minimal.
    Be glad to see when they get more active.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.