Had they clicked the link sent to them using WhatsApp, human rights group Amnesty International would have been the victim of a spyware from an Israeli company.
Last Wednesday, Amnesty International claimed to have received a message containing spyware from NSO Group, an Israeli company specializing in digital surveillance. Apparently, the spyware campaign seems to be targeting activists in Saudi Arabia and spreading malicious messages through WhatsApp, a popular chat app in the Middle East.
NSO has been selling controversial technologies to governments all over the world and this spyware, called the Pegasus, is just one of the many surveillance tools that they have.
So how did the attack happen? An Amnesty International staff reported that it occurred last June when they received a WhatsApp message saying that the sender’s brother was detained in Saudi Arabia. The sender sent a link to a fake news site in Arabic to support their statement. This was, in fact, a malicious link that contained the spyware.
As if one person is enough, another Amnesty International activist based overseas also received WhatsApp messages containing similar links. To make it even more convincing, they even copied the text from an Amnesty International press release in verbatim, hoping to coerce the activist into clicking the link.
Amnesty International decided to investigate the matter and try to trace who sent the WhatsApp messages with malicious links. Upon investigation, they discovered that the servers behind the domains shared traits with the web traffic technology from NSO. They discovered that there were “more than 600 servers that demonstrated similar behavior,” which means that hundreds of domain sites are copying reliable news websites to fool people into clicking them.
The human rights group sent their findings to Citizen Lab, a research group in the University of Toronto that has been studying state-sponsored surveillance. Citizen Lab confirmed that these were indeed from NSO. This isn’t the first time that Citizen Lab has discovered spyware from NSO, as they have also published a research on iPhone-based spyware linked to NSO’s internet infrastructure.
No sample of the spyware was collected, probably because the group responsible for the attack made sure that security researches can’t sniff out the spyware.
If the people at Amnesty International hadn’t been careful, they would have accidentally installed the spyware Pegasus into their mobile phones. As scary as it sounds, a spyware has the ability to log messages you send and receive, take photos from your camera roll or using your camera, record voice calls, and track your location, all without you knowing.
Attempts to reach NSO for any comments regarding this issue have been unsuccessful, but they sent a message to Amnesty International that neither denied nor confirmed the claim and has told the group that it will investigate the matter.
“Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company,” the Israeli company said.