Facebook’s parent company, Meta, released a Threat Report on Thursday stating that it has blocked seven surveillance-for-hire entities running more than 1,500 fake accounts on both Facebook and Instagram. The so-called cyber-mercenaries, thought to operate on a global scale, were abusing the social media accounts to scrape personal information, monitor persons of interest and deploy spyware for various clients, including nation-state actors.
“While cyber mercenaries often claim that their services and surveillance-ware are intended to focus on criminals and terrorists, our investigation found they in fact regularly targeted journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists around the world,” David Agranovich, Director, Threat Disruption and Mike Dvilyanski, Head of Cyber Espionage Investigations, have said.
According to the report, the seven surveillance firms, based in China, Israel, India and North Macedonia, targeted approximately 50,000 people in over 100 countries, and offered a variety of services spanning from collecting intelligence, to engaging with targets for the sake of gaining trust, and compromising targets’ other online accounts and devices. For example, the unnamed Chinese entity deployed malware along with facial recognition software, while the North Macedonian company offered Pegasus-style spyware capabilities. However, Meta has stated that it has notified all known targets, it has blocked infrastructure associated with the companies and issued them cease and desist warnings.
While recently the NSO Group, the entity behind Pegasus, has made headlines after it was sued by Apple, and it startled US lawmakers, Meta officials think this is just the tip of the iceberg and there’s a wider surveillance-for-hire issue to be addressed: “Protecting people against this threat requires a collective effort from platforms, policymakers, and civil society to counter the underlying market and its incentive structure (…) a public discussion about the use of surveillance-for-hire technology is urgently needed to deter the abuse of these capabilities.”
As the core activity of cyber surveillance companies is based on social engineering techniques, one way to protect yourself is to keep an eye out for scams:
- Be wary of strangers contacting you via e-mail or text messages. Some propositions may be very tempting, like job offers or business opportunities, but if something seems too good to be true, it probably is.
- Don’t click on suspicious links and don’t download untrusted attachments
- Don’t give your personal information to persons you have just met online
- Watch out for messages that appear to come from legitimate sources such as delivery companies, retailers and national authorities, as hackers often use them to deliver malware or to steal credentials.
- Use strong unique passwords on all your accounts and enable multi-factor authentication