Meta identified and disrupted six spyware networks linked to eight companies in Italy, Spain and the United Arab Emirates, as well as three fake news operations from China, Myanmar and Ukraine.
The Social Media Company”Q4 2023 Adversarial Threat Report” follows closely in the wake of the Pall Mall initiativesigned together with dozens of major global organizations and governments, with the aim of curbing the rapidly growing commercial spyware industry.
It outlines how fake news operations – particularly those originating in Russia – have taken a hit in recent years, but Commercial surveillance is thrivingusing fake social media accounts to gather information on targets and trick them into downloading powerful cross-platform spy tools.
“The use of malware and phishing, which specifically targets mobile devices, is increasing dramatically year over year and will continue to increase,” says Kern Smith, vice president of the Americas at Zimperium, which recently released your mobile threat report. “Attackers are indiscriminately targeting both consumer and enterprise data and applications. Organizations should examine what measures they are using to protect employee devices and the apps they develop and deploy for their customers, and how they can actively identify and defend against these types of malware and phishing attacks.”
Eight spyware companies on Meta platforms
Meta noted in its report some key characteristics of the current spyware ecosystem.
First, these pseudo-legal sellers are usually hidden by layered corporate ownership structures.
There’s Cy4Gate, for example, an Italian spy company owned by a defense contractor called ELT Group. Cy4Gate has been observed to collect target information via fake social media accounts with AI-generated profile photos. Previously, it ran a WhatsApp phishing site, which tricked victims into downloading a Trojanized version of the iOS app, which could harvest photos, emails, SMS, screenshots and more.
In addition to being owned by the ELT Group, Cy4Gate itself owns another company called RCS Labs. RCS likes to impersonate activists, journalists, and young women in Azerbaijan, Kazakhstan, and Mongolia (the same demographics they typically target) to trick victims into sharing their contact information or clicking on luring documents or malicious links that track their IP addresses. and profile your devices.
As the industry flourishes, spyware customers who are also attackers often use more than one tool as part of their attack chain.
For example, Meta observed a client of IPS Intelligence – another Italian company that used fake accounts to target victims on three continents, on most major social media platforms – engaging in social engineering activities, tracking addresses victims’ IPs and preparing Android devices for further tampering, all independent of the IPS.
The latest, perhaps most obvious, trend observed by Meta is the tendency for surveillance companies to use social platforms as testing grounds for their exploits.
Spanish companies Variston IT and Mollitiam Industries, Italy’s Negg Group and TrueL IT (a subsidiary of Variston IT), and the misleadingly named United Arab Emirates-based Protect Electronic Systems all used social media accounts to test the spread of their spyware.
Negg, for example, experimented with using some of his accounts to perform data exfiltration and deliver his cross-platform (iOS, Android, and Windows) spyware against his other accounts. Negg typically employs his tools against targets in Italy and Malaysia.
To defend against these types of companies (threat actors), Smith mentions how “NIST strongly recommends that organizations adopt mobile threat defense (MTD) and mobile app control as part of their mobile security strategy to identify and defend against malware, phishing, permission abuse and the overall mobile threat landscape, regardless of operating system.”
Three attacks on fake news network
Even more than “surveillanceware” operations, of course, fake news networks – more formally referred to as “coordinated inauthentic behavior” (CIB) – proliferate on Meta-owned platforms. Meta recently eliminated three of these networks.
The first came from China and targeted the US public by posing as anti-war activists and members of American military families. This threat actor targeted users of the Meta, Medium, and YouTube platforms, but was shut down before gaining significant popularity.
Another Myanmar CIB has targeted local Myanmar citizens by posing as members of ethnic minorities on Meta platforms and beyond, including Telegram, X (formerly Twitter), and YouTube. This activity, after some investigation, was linked to members of the Myanmar military.
Finally, Meta removed a cluster operating in Ukraine, which targeted individuals in Ukraine and Kazakhstan.
That none of the three originated in Russia, the world’s leading CIB puppeteer, is no coincidence. Second Graphika resultsPosts by state-controlled Russian media have fallen by 55% compared to pre-war levels and engagement has plummeted by 94%.
“For covert influence operations, since 2022, we have seen fewer attempts to build complex deceptive personas in favor of poorly disguised and short-lived fake accounts in an attempt to spam the internet, hoping something will ‘stick,’” the society. he wrote in his report.
However, as a caveat to the good news, the report also issued a warning: “[H]Historically, the main way CIB networks reach authentic communities is when they manage to co-opt real people – politicians, journalists or influencers – and tap into their audiences. Reputable commentators represent an attractive target and should exercise caution before amplifying information from unverified sources, particularly ahead of important elections.”