Infamous Israeli surveillance firm NSO Group created a web domain that looked as if it belonged to Facebook’s security team to entice targets to click on links that would install the company’s powerful cell phone hacking technology, according to data analyzed by Motherboard.
It is not uncommon for hackers working for governments to impersonate Facebook, perhaps with a phishing page that displays a Facebook login screen but which secretly steals a target’s password. But NSO’s approach complicates its ongoing conflict with the tech giant. NSO is currently embroiled in a lawsuit with Facebook, which is suing the surveillance firm for leveraging a vulnerability in WhatsApp to let NSO clients remotely hack phones. Motherboard has also found more evidence that NSO used infrastructure based in the United States; a server used by NSO’s system to deliver malware was owned by Amazon.
A former NSO employee provided Motherboard with the IP address of a server setup to infect phones with NSO’s Pegasus hacking tool. Motherboard granted the source anonymity to protect them from retaliation from the company. Pegasus can target modern iPhone and Android devices, and once installed on a device it can steal text and social media messages, track the GPS location of the phone, and remotely turn on the camera and microphone. NSO sells Pegasus in either 0- or 1-click versions, with the former needing no interaction from the target, and the latter requiring the target to click a link.
The IP address provided to Motherboard related to a 1-click installation of Pegasus, the former employee said. Motherboard reviewed multiple databases of so-called passive DNS records from cybersecurity services DomainTools and RiskIQ, which show what web domain an IP address related to at different points in time. Throughout 2015 and 2016, the IP address resolved to 10 domains. Some of these seem to have been designed to appear innocuous, such as a link a person could click on to unsubscribe themselves from emails or text messages. Others impersonated Facebook’s security team and package tracking links from FedEx.
In late 2016, a company called MarkMonitor acquired the Facebook impersonating domain, according to online WHOIS records. MarkMonitor is a brand protection firm that works to obtain domains that may relate to fraud. Two months later, Facebook itself took control of the domain, the WHOIS records showed.
Some of the domains unearthed by Motherboard bear a resemblance, but are not identical to those previously published by researchers at the University of Toronto’s Citizen Lab.
John Scott-Railton, a senior researcher from Citizen Lab, told Motherboard that the information provided by the former employee does appear to be NSO infrastructure.
Facebook told Motherboard it gained ownership of the domain to stop others from misusing it.
NSO is most well known for selling its Pegasus technology to authoritarian regimes like Saudi Arabia, which used the tool to target associates of murdered Washington Post journalist Jamal Khashoggi. NSO says it only sells Pegasus to law enforcement and intelligence agencies. Motherboard recently revealed NSO tried to sell its hacking technology to local U.S. police, and that an NSO employee abused access to an installation of the Pegasus tool in the United Arab Emirates to target a love interest.
Although several NSO clients have clearly abused the Pegasus system by targeting human rights dissidents, journalists, and political opponents, some of the infection domains discovered by Motherboard may have been used in legitimate law enforcement or anti-terror investigations. With that in mind, Motherboard is not publishing the full list of domains.
But the domains still show NSO has been willing to impersonate Facebook and use U.S.-based infrastructure to launch its malware.
Facebook recently took legal action against domain registrars. In March, Christen Dubois, Facebook’s director and associate general counsel of IP litigation, announced in a blog post the company had filed a lawsuit against Namecheap and its proxy service Whoisguard, for registering over 45 domains that impersonated Facebook and its services. (Some of the domains linked to the NSO IP address were registered with Namecheap at some point, including the one impersonating Facebook before MarkMonitor took control of it).
In April, Facebook filed court documents that contained specific U.S. IP addresses used by NSO’s systems to hack phones via a vulnerability in WhatsApp in 2019. One of those IP addresses was hosted by California-based QuadraNet; the second belonged to Amazon.
Facebook is leaning into NSO’s connections to the U.S. as part of the lawsuit, arguing that they grant the ability to hold NSO accountable under U.S. laws, specifically the Computer Fraud and Abuse Act. The server uncovered by Motherboard is physically located in Virginia, according to online records.
“Revisiting and recycling the conjecture of NSO’s detractors, such as CitizenLab, doesn’t change the overall truth of our position, which we have stated to the U.S. Federal Court in California,” an NSO spokesperson told Motherboard in an emailed statement. “Our factual assertions have been provided as part of the official court record, and we do not have anything else to add at this time.”
Amazon did not respond to a request for comment asking if NSO has violated Amazon’s terms of service by using its web servers to launch malware.