Show vulnerabilities with patch / with exploit
21 May 2020

Spyware maker NSO Group set up fake Facebook website to trick victims into installing Pegasus malware


Spyware maker NSO Group set up fake Facebook website to trick victims into installing Pegasus malware

NSO Group, an Israeli technology company known for its controversial Pegasus spyware, which enables remote surveillance of smartphones, created a web domain disguised as a Facebook's security team website to trick users into installing its hacking tools, according to a report from Motherboard.

Motherboard said it also has found more evidence that NSO Group used infrastructure located in the U. S. , namely an Amazon-owned server located in Virginia used by NSO's system to deliver malware.

Pegasus has been pitched by its developer as a so-called “lawful intercept” tool for governments that can be installed on devices running some versions of Apple iOS, as well as on devices running Android operating system. The malware is able to read text messages, track calls, collect passwords, trace the phone location, and gather data from apps such as iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.

According to the report, “a former NSO employee provided Motherboard with the IP address of a server setup to infect phones with NSO's Pegasus hacking tool.” The source said that this IP-address is related to a 1-click installation of Pegasus.

The analysis of multiple databases of passive DNS records from cybersecurity services DomainTools and RiskIQ has shown that throughout 2015 and 2016, the IP address resolved to 10 domains, some of which were seemingly benign services providing users with options to unsubscribe themselves from emails or text messages, while others were disguised as Facebook's security team and package tracking links from FedEx.

According to WHOIS records, the Facebook impersonating domain was acquired by a company called MarkMonitor in a late 2016, and shortly after, the domain came under Facebook’s control. As Facebook explained, it gained ownership of the domain to stop others from misusing it.

Back to the list

Latest Posts

REvil ransomware group announces its first ever stolen data auction

REvil ransomware group announces its first ever stolen data auction

REvil ransomware operators escalate their extortion tactics.
3 June 2020
Apple fixes recent iPhone “unc0ver” jailbreak flaw

Apple fixes recent iPhone “unc0ver” jailbreak flaw

The vendor issued the security patches less than a week after the hackers have released jailbreak tool called “Unc0ver”.
3 June 2020
DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

The gang says it breached the network of one of NASA IT contractors.
3 June 2020
Featured vulnerabilities
MitM attack in GnuTLS
Medium Patched | 04 Jun, 2020
Spoofing attack in Docker
Medium Patched | 03 Jun, 2020
Information disclosure in GitLab
Medium Patched | 03 Jun, 2020
Multiple vulnerabilities in Google Chrome
High Patched | 03 Jun, 2020
Privilege escalation in ABB Central Licensing System
Medium Not Patched | 03 Jun, 2020