Meta has identified and interrupted six spyware networks linked to eight companies in Italy, Spain, and the United Arab Emirates, as well as three fake news operations from China, Myanmar, and Ukraine.
It outlines how fake news operations - particularly those originating in Russia - have taken a hit in recent years, but commercial surveillance is thriving, using fake social media accounts to collect intel about targets and lure them into downloading powerful cross-platform spying tools.
Eight Spyware Firms on Meta Platforms There are a few key characteristics of today's spyware ecosystem that Meta observed in its report.
Firstly, these pseudo-legal vendors are typically concealed by layered corporate ownership structures.
There's Cy4Gate, for example - an Italian spy-for-hire company owned by a defense contractor called ELT Group.
Cy4Gate has been observed scraping information about targets via fake social media accounts with AI-generated profile photos.
Previously, it operated a WhatsApp phishing site, which goaded victims to download a Trojanized version of the app for iOS, capable of collecting photos, emails, SMS, screenshots, and much more.
Besides being owned by ELT Group, Cy4Gate itself owns another firm called RCS Labs.
RCS likes to impersonate activists, journalists, and young women in Azerbaijan, Kazakhstan, and Mongolia - the same demographics they typically target - in order to trick victims into sharing their contact information, or clicking on lure documents or malicious links which track their IP addresses and profile their devices.
Because the industry is flourishing, spyware customers who are also attackers often use more than one tool as part of their attack chain.
Meta observed one customer of IPS Intelligence - another Italian firm which used fake accounts to target victims in three continents, across most major social media platforms - engaging in social engineering activities, tracing victims' IP addresses, and priming Android devices for further tampering, all independent of IPS. The last, perhaps most obvious trend observed by Meta is surveillance companies' tendency to use social platforms as a testbed for their exploits.
Spanish firms Variston IT and Mollitiam Industries, the Italian Negg Group and TrueL IT, and the misleadingly named, UAE-based Protect Electronic Systems all used social media accounts to test the delivery of their spyware.
Negg, for example, experimented by using some of its accounts to perform data exfiltration and transmit its cross-platform spyware against its other accounts.
Negg typically deploys its tooling against targets in Italy and Malaysia.
The first was from China and targeted US audiences by posing as anti-war activists and members of American military families.
This threat actor targeted users across Meta platforms, Medium, and YouTube, but it was snuffed out before gaining significant traction.
Another CIB from Myanmar targeted local Myanmar citizens by posing as members of ethnic minorities on Meta platforms and beyond, including Telegram, X, and YouTube.
This activity, after some investigation, was tied back to individuals in Myanmar's military.
Finally, Meta removed a cluster operating in Ukraine, targeting individuals in Ukraine and Kazakhstan.
Reputable opinion-makers represent an attractive target and should exercise caution before amplifying information from unverified sources, particularly ahead of major elections.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 20 Feb 2024 21:50:30 +0000