NSO Group, an Israeli technology company known for its controversial Pegasus spyware, which enables remote surveillance of smartphones, created a web domain disguised as a Facebook's security team website to trick users into installing its hacking tools, according to a report from Motherboard.
Motherboard said it also has found more evidence that NSO Group used infrastructure located in the U. S. , namely an Amazon-owned server located in Virginia used by NSO's system to deliver malware.
Pegasus has been pitched by its developer as a so-called “lawful intercept” tool for governments that can be installed on devices running some versions of Apple iOS, as well as on devices running Android operating system. The malware is able to read text messages, track calls, collect passwords, trace the phone location, and gather data from apps such as iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.
According to the report, “a former NSO employee provided Motherboard with the IP address of a server setup to infect phones with NSO's Pegasus hacking tool.” The source said that this IP-address is related to a 1-click installation of Pegasus.
The analysis of multiple databases of passive DNS records from cybersecurity services DomainTools and RiskIQ has shown that throughout 2015 and 2016, the IP address resolved to 10 domains, some of which were seemingly benign services providing users with options to unsubscribe themselves from emails or text messages, while others were disguised as Facebook's security team and package tracking links from FedEx.
According to WHOIS records, the Facebook impersonating domain was acquired by a company called MarkMonitor in a late 2016, and shortly after, the domain came under Facebook’s control. As Facebook explained, it gained ownership of the domain to stop others from misusing it.