Meta Platforms Inc said Thursday that its platforms had been used by seven surveillance-for-hire companies based out of China, Israel, India and North Macedonia to spy on or track as many as 50,000 people in 100 countries. The internal investigation — which started earlier this year — zeroed in on seven different entities from these four countries, which includes BellTrox, a hacker for hire based out of India.
While Meta did not provide details of how many people were targeted from which country, most were journalists, dissidents, critics of authoritarian regimes, families of opposition members, human rights activists, lawyers, doctors, and even clergy, it said.
It said, “BellTroX operated fake accounts to impersonate a politician and pose as journalists and environmental activists in an attempt to social-engineer its targets to solicit information including their email addresses, likely for phishing attacks at a later stage. Its activity on our platform was limited and sporadic between 2013 to 2019, after which it paused.”
Meta added it had disabled accounts related to these companies and served them with a cease and desist notice, while also sharing details of the internal findings with security researchers, other platforms and policymakers.
Nathaniel Gleicher, head of security policy at Meta said, “It is a shadow industry of companies that operate around the world and provide, who ever will hire them, tools and techniques, to target surreptitiously, innocent people so that they can spy on, surveil, understand who their friends are, what they might be doing with their time. This industry is broader than anyone can imagine.”
The internal report details that these seven companies targeted people in one of three ways: reconnaissance, engagement, and exploitation. In the first step, the targets were silently profiled by these “cyber mercenaries” by often using software to collect data publicly available on the internet.
“They typically scrape and store data from public websites such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums and dark web sites,” the report said.
The next step in the surveillance chain is engagement, aimed at establishing contact with either the target or people close to them so as to build trust, which is then exploited in the third phase.
“The sophistication in tooling varies significantly across this industry, ranging from off-the-shelf malware easily detected by most anti-virus software to single-click or even zero-click exploit links sent to the targets.”