Meta Platforms, formerly Facebook Inc, said it has banned seven hack-for-hire groups that were using its social media networks for social engineering, spying on people and sending malicious links. The surveillance groups were based in China, Israel, India, and North Macedonia and have targeted over 50,000 people in over 100 countries over 5 years, Meta said in a report.
Meta said that it has alerted the users who it believes were under the surveillance of these groups and has also shared its findings with security researchers, policymakers and other social media companies.
Researchers at Meta believe that these groups would try to revive their operations on their social networks again with new obfuscation tactics. “The entities behind these surveillance operations are persistent, and we expect them to evolve their tactics,” they warned.
Social engineering is a widely used tactic by threat actors to acquire the personal information of targets, which is then used to carry out phishing attacks and infect devices with malware attacks. According to a recent report by SlashNext Threat Labs, social engineering attacks in 2021 increased by 270%.
According to Meta, these groups and their malicious activities were detected by an alert system that was recently updated to offer more granular details such as the nature of targeting and the entity behind it.
The seven groups banned by Meta include Cobwebs Technologies, Cognyte, Black Cube, BellTroX, Cytrox, Bluehawk CI and an unknown entity in China.
Meta removed around 400 Facebook accounts linked to BellTroX and 300 Facebook and Instagram accounts linked to Black Cube and Cytrox each.
BellTroX is a New Delhi-based IT company that allegedly offers hacking as a service. According to Meta, BellTroX was using its social media platforms for reconnaissance, social engineering and to send malicious links.
In 2020, Toronto based Citizen Lab had uncovered a global hack-for-hire operation that targeted hundreds and thousands of individuals, including journalists, activists, lawyers, government officials and corporate heads. Citizen Lab found that the group behind the operation called Dark Basin was linked to BellTroX, reported Mint.
During their investigation, Meta found that BellTroX was using fake accounts to impersonate politicians, journalists and environmental activists to carry out social engineering and get the targets to share personal information for future phishing attacks. The group was caught using some of these fake accounts to target lawyers, doctors, activists, and clergymen in Australia, Angola, Saudi Arabia, and Iceland.
Like BellTroX, Israel-based Black Cube was using fake accounts for social engineering and stealing email details. They were posing as graduate students, NGOs and human rights workers to target NGOs in Africa, Eastern Europe, and South America; activists in Palestine and university students in Russia. They were also targeting people in the mining, medical and energy industry.
The third large entity, Cytrox, a North Macedonian company that sells surveillance tools and malware to compromise iOS and Android devices was caught spoofing legitimate news entities and mimicking social media services.
“Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites,” researchers at Meta said.
Meta believes Cytrox was offering its services to another threat actor known as Sphinx that was targeting people in Egypt and adjoining countries. For an investigation into Cytrox, Meta collaborated with Citizen Lab.
Several governments and companies have started to clamp down on spyware providers and hacker for hire groups. For instance, last month the US government slapped Pegasus supplier NSO Group with an export ban that restricts them from acquiring hardware and software from any US company without approval.
Apple has also filed a lawsuit against NSO Group and its parent company OSY Technologies and has appealed for a permanent injunction to stop them from using Apple devices, apps and services. Pegasus was used by unknown actors to target several iPhone users.