Meta Platforms
has reported taking action against eight companies from Italy, Spain, and the U.A.E. that are involved in the
surveillance-for-hire sector
. This information is part of their
Adversarial Threat Report
for Q4 2023. According to a report in Hacker News, the spyware these companies used targeted iPhones, Android and Windows devices.
The malware they used had the ability to gather and access information from devices, including location, photos, media, contacts, calendar, email, SMS, social media, and messaging apps.
It could also enable functionality for microphones, cameras, and screenshots.
The companies involved are:
* Cy4Gate/ELT Group
* RCS Labs
* IPS Intelligence
* Variston IT
* TrueL IT
* Protect Electronic Systems
* Negg Group
* Mollitiam Industries
Targeted users on Facebook, Instagram, YouTube, Google, Skype and other platforms
According to Meta, these companies also participated in scraping, social engineering, and phishing activities that targeted a variety of platforms including Facebook, Instagram, X (previously Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch, and Telegram.
Specifically, a network of fake personas connected to RCS Labs, owned by Cy4Gate, reportedly deceived users into giving their phone numbers and email addresses, as well as clicking on fraudulent links for reconnaissance purposes.
Another group of Facebook and Instagram accounts, now removed and associated with the Italian spyware vendor Variston IT, was used for exploit development and testing, including the sharing of malicious links. Recent reports suggest that this company is ceasing its operations.
Meta also identified accounts used by Negg Group for testing their spyware delivery, and by Mollitiam Industries, a Spanish firm offering a data collection service and spyware targeting Windows, macOS, and Android, for public information scraping.
Technique used by hackers
In the cybersecurity realm, the exact method used is still unclear, but a Swedish telecom security firm suspects it involves the use of MM1_notification.REQ, a unique type of SMS message known as a binary SMS. This message notifies the recipient device of an MMS waiting to be retrieved from the Multimedia Messaging Service Center (MMSC).
The MMS is then retrieved using MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.
This approach is notable because it embeds user device information such as User-Agent (different from a web browser User-Agent string) and x-wap-profile in the GET request, serving as a kind of fingerprint.
“The (MMS) User-Agent is a string that typically identifies the OS and device,” Enea said. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset.”
A threat actor intending to deploy spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even craft more effective phishing campaigns. However, there is no evidence that this security vulnerability has been exploited in the wild recently.
English (US) ·