Meta, Facebook’s and Instagram’s parent company, announced the prohibition of seven “surveillance-for-hire” businesses that targeted almost 50,000 people in over 100 countries.
According to the company, these “cyber mercenaries” snooped on journalists, dissidents, critics of authoritarian regimes, opposition families, and human rights activists without discrimination, despite claiming that their services only targeted criminals and terrorists.
These entities, which are part of the global surveillance-for-hire industry, offer intrusive software and snooping services to any customer, targeting people all over the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts, according to Meta’s report, which was the result of a months-long investigation.
“We’re enforcing against 7 entities we identified as routinely employing phony accounts to target people across our platform and the wider internet, as well as delivering malware and taking other efforts to spy on their targets,” said Nathaniel Gleicher, Facebook’s head of security policy.
The first step in this cyber-spying process, according to Facebook’s parent company, was “reconnaissance,” in which cyber mercenaries secretly profiled users on behalf of their clients—a stage that is usually the least visible to targets.
The mercenaries used software to automate data collection from across the internet in this step, “pulling critical information from all available online records such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums, and ‘dark web’ sites,” according to the report.
The entities attempted to build trust, solicit information, and trick targets into clicking on malicious links or files in the second step, which was aimed at establishing contact with the targets (or people close to them).
Finally, the cyber mercenaries exploited their victims by tricking them into disclosing their credentials to sensitive accounts such as email, social media, and financial services by convincing them to click on malicious links that compromised their devices.
While public debate and action have primarily focused on the exploitation phase, Meta stated on Thursday that it was critical to disrupt the attack’s entire lifecycle because earlier stages enable later ones.
“We frequently can’t tell who these firms’ clients are—this secrecy appears to be a service they provide.” That is why, regardless of the firm behind it or who hired them, we consistently enforce against this deceptive, violating behavior,” Mr Gleicher added.
READ ALSO: Metaverse: Focus Shifts to Metaverse, As Meta Updates its Bug Bounty Program
“Protecting people from cyber mercenaries operating across multiple platforms and national borders necessitates a collaborative effort from platforms, policymakers, and civil society to counter the underlying market and its incentive structure,” Meta explained.
Meta sued Israel-based NSO Group earlier this year after its Pegasus software was discovered to be involved in the potential surveillance of thousands of people, including activists, journalists, dissidents, and their families, including the fiancée of slain Saudi journalist Jamal Khashoggi.
Microsoft, Alphabet, and Cisco Systems have also taken legal action or criticized NSO Group.
Meta has called for international oversight to establish transparency and “know your customer” standards for the global surveillance-for-hire market and hold them accountable to the new standards in the new report.
It also emphasized the importance of industry collaboration in order to fully understand and mitigate threats posed by surveillance efforts, as well as domestic and global efforts to increase the accountability of these service providers through appropriate legislation, export controls, and regulatory actions.
READ ALSO: Meta Portal Lets You Browse Through Facebook Stories Hands-Free