Facebook is notifying nearly 50,000 users in more than 100 countries that they may have been targets of hacking attempts by surveillance companies working for government agencies or private clients, the company said. The notification is the result of a months-long investigation by Meta, Facebook’s parent company, into what Meta officials called “cyber-mercenaries” who engage in “surveillance for hire”, the Washington Post reports. As a result, Facebook said it was taking enforcement actions against seven surveillance companies based in four countries, removing about 1,500 fake accounts, blocking malicious web addresses, and sending cease-and-desist letters to the companies. Meta’s investigators concluded that these companies used Meta’s Facebook and Instagram subsidiaries for surveillance activities, mainly to research and groom targets for later infections by spyware. Each step was part of a broader targeting process the researchers called the “surveillance chain.” The investigation’s final report, titled “Threat Report on the Surveillance-for-Hire Industry,” took aim at long-standing industry claims that the spying software is used only against terrorists and serious criminals such as drug kingpins and pedophiles. Meta’s investigation found that surveillance companies “regularly” target politicians, human rights workers, journalists, dissidents, and family members of opposition figures, with few legal controls or other forms of accountability. These findings echo those of the Pegasus Project, a global investigation of Israel-based surveillance company NSO Group by The Washington Post and 16 other news organizations, led by Paris-based journalism nonprofit Forbidden Stories. But Meta officials said that while they previously have taken enforcement actions against NSO and sued the company in 2019 for allegedly delivering spyware to users through WhatsApp, the problems posed by private surveillance companies are broader. Among the companies that Meta sanctioned was a little-known surveillance firm, Cytrox, based in North Macedonia. The Meta report, which said it had removed 300 Facebook and Instagram accounts the company used to engage and deceive targets, lists 10 countries where Cytrox has customers, including Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam, the Philippines, and Germany.
https://www.washingtonpost.com/technology/2021/12/16/facebook-spying-surveillance-notification/