While furiously trying to put out one fire — fake news — the social media giant is dealing with another growing threat: spies for hire.

5 Min Read
Hand holding a cellphone with Facebook on it, in front of Meta logo in background
Source: Rokas Tenys via Alamy Stock Photo

Meta has identified and interrupted six spyware networks linked to eight companies in Italy, Spain, and the United Arab Emirates, as well as three fake news operations from China, Myanmar, and Ukraine.

The social media company's "Q4 2023 Adversarial Threat Report" follows closely on the heels of the Pall Mall initiative, which it signed alongside dozens of major organizations and world governments, with the aim of curbing the fast-growing commercial spyware industry.

It outlines how fake news operations — particularly those originating in Russia — have taken a hit in recent years, but commercial surveillance is thriving, using fake social media accounts to collect intel about targets and lure them into downloading powerful cross-platform spying tools.

"The use of malware and phishing, specifically targeting mobile devices, is rising dramatically year-over-year and will only continue to increase," says Kern Smith, vice president of the Americas at Zimperium, which recently released its own mobile threat report. "Attackers are targeting both consumer, and corporate data and applications indiscriminately. Organizations should look at what measures they are using to protect employee devices, and the apps they develop and deploy for their customers, and how they can actively identify and defend against these types of malware and phishing attacks."

Eight Spyware Firms on Meta Platforms

There are a few key characteristics of today's spyware ecosystem that Meta observed in its report.

Firstly, these pseudo-legal vendors are typically concealed by layered corporate ownership structures.

There's Cy4Gate, for example — an Italian spy-for-hire company owned by a defense contractor called ELT Group. Cy4Gate has been observed scraping information about targets via fake social media accounts with AI-generated profile photos. Previously, it operated a WhatsApp phishing site, which goaded victims to download a Trojanized version of the app for iOS, capable of collecting photos, emails, SMS, screenshots, and much more.

Besides being owned by ELT Group, Cy4Gate itself owns another firm called RCS Labs. RCS likes to impersonate activists, journalists, and young women in Azerbaijan, Kazakhstan, and Mongolia — the same demographics they typically target — in order to trick victims into sharing their contact information, or clicking on lure documents or malicious links which track their IP addresses and profile their devices.

Because the industry is flourishing, spyware customers who are also attackers often use more than one tool as part of their attack chain.

For example, Meta observed one customer of IPS Intelligence — another Italian firm which used fake accounts to target victims in three continents, across most major social media platforms — engaging in social engineering activities, tracing victims' IP addresses, and priming Android devices for further tampering, all independent of IPS.

The last, perhaps most obvious trend observed by Meta is surveillance companies' tendency to use social platforms as a testbed for their exploits.

Spanish firms Variston IT and Mollitiam Industries, the Italian Negg Group and TrueL IT (a subsidiary of Variston IT), and the misleadingly named, UAE-based Protect Electronic Systems all used social media accounts to test the delivery of their spyware.

Negg, for example, experimented by using some of its accounts to perform data exfiltration and transmit its cross-platform (iOS, Android, and Windows) spyware against its other accounts. Negg typically deploys its tooling against targets in Italy and Malaysia.

To defend against these kinds of companies (threat actors), Smith mentions how "NIST is highly recommending that organizations adopt mobile threat defense (MTD) and mobile app vetting as part of their mobile security strategy to identify and defend against malware, phishing, permissions abuse and the overall threat landscape of mobile devices irrespective of the operating system."

Three Fake News Network Takedowns

Even more so than "surveillanceware" operations, of course, fake-news networks — more formally referred to as "coordinated inauthentic behavior" (CIB) — proliferate on Meta-owned platforms. Recently, Meta has taken down three such networks.

The first was from China and targeted US audiences by posing as anti-war activists and members of American military families. This threat actor targeted users across Meta platforms, Medium, and YouTube, but it was snuffed out before gaining significant traction.

Another CIB from Myanmar targeted local Myanmar citizens by posing as members of ethnic minorities on Meta platforms and beyond, including Telegram, X (formerly Twitter), and YouTube. This activity, after some investigation, was tied back to individuals in Myanmar's military.

Finally, Meta removed a cluster operating in Ukraine, targeting individuals in Ukraine and Kazakhstan.

That none of the three originated in Russia, the world's premier CIB puppeteer, is no accident. According to findings from Graphika, posting by Russian state-controlled media has declined 55% from pre-war levels, and engagement has plummeted 94%.

"For covert influence operations, since 2022, we've seen fewer attempts to build complex deceptive personas in favor of thinly-disguised, short-lived fake accounts in an effort to spam the Internet, hoping something will 'stick,'" the company wrote in its report.

However, as a caveat to the good news, the report also issued a warning: "[H]istorically, the main way that CIB networks get through to authentic communities is when they manage to co-opt real people — politicians, journalists or influencers — and tap into their audiences. Reputable opinion-makers represent an attractive target and should exercise caution before amplifying information from unverified sources, particularly ahead of major elections."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights