Israeli security company NSO Group impersonated Facebook as part of a ploy to get users to install its phone-hacking software, a new report alleges.
An investigation from news site Motherboard claims a Facebook security lookalike domain was set up to spread NSO’s Pegasus hacking tool.
It also claimed to have found evidence that servers inside the United States were used to spread the spying tool.
NSO denies the allegations, labelling them “recycled conjecture”.
The Pegasus spyware, once installed, can read text messages and other data on the phone, track its location with GPS, and access the microphone and camera.
The Israeli firm is already locked in a legal battle with Facebook, which alleges it deliberately spread its software over WhatsApp, compromising hundreds of phones – including those of journalists and human rights activists. It is also, separately, accused of supplying software to the Saudi government which was allegedly used to spy on journalist Jamal Khashoggi before he was killed.
Facebook’s complaint alleged NSO operated the spyware itself. But NSO has asked the court in California to dismiss the case, in part because it says it never uses its spyware – only sovereign governments do.
Motherboard’s latest investigation revolves around a former NSO employee who, it is claimed, provided it with details of a server allegedly designed to distribute the spyware by tricking people into clicking links.
The server investigated was connected to several different web addresses over a number of years – including one that impersonated Facebook’s security team, the Motherboard report claims.
Facebook told the BBC it had gained ownership of the domain in question four years ago, to stop it being misused.
Other domains used over time included “a link a person could click on to unsubscribe themselves from emails or text messages… and package tracking links from FedEx,” Motherboard reports.
But NSO fiercely denies that it has ever used its products itself.
“We are incredibly proud of our technology’s role in tackling crime and terrorism, but NSO does not operate any of its products,” a spokesman said in a statement. “As we have repeatedly made clear, NSO products are offered to and operated solely by verified and authorised government agencies.”
Motherboard also alleged that one of the servers used to launch the malware was located within the United States – something that NSO says is not possible. Facebook has previously made similar allegations in the WhatsApp legal case.
“We stand by our previous statements that NSO Group products cannot be used to conduct cyber-surveillance within the United States, and no customer has ever been granted technology that enables targeting phones with US numbers,” a spokesman said.
Prof Alan Woodward from the University of Surrey said the possibility of US-based servers being used to deploy the spyware raised “more questions than answers”.
“They appear to have some sort of infrastructure in the US,” Prof Woodward said. “The question is whether the US government is aware of it.”
A Facebook spokesperson said: “NSO Group is responsible for cyber-attacks against human rights activists, journalists, and diplomats, in violation of US law.
“We are committed to protecting the security of our community and are seeking to hold them accountable in court.”
NSO said its official stance remained that which it had put forward in the legal case with Facebook.
“Revisiting and recycling the conjecture of NSO’s detractors… doesn’t change the overall truth of our position, which we have stated to the US Federal Court in California,” it said.
“Factual assertions on all the above have been provided as part of the official court record, and we do not have anything else to add at this time.”