Let’s Talk About Spyware and Pegasus Sextortion Scams

Posted by:

|

On:

|

Before we dive into the sextortion scam that has been the spotlight of discussion since September, let’s cover what spyware and its related symptoms are. Spyware is a malicious software that infiltrates user devices without consent and secretly collects information. There are various types of spyware including Adware, Keyloggers, Trojan Horse Viruses, Rootkits and more. It is more than likely you as an internet user have been infected with spyware at some point or another without realizing it. Symptoms that indicate infection of spyware in a computer are noticeable system slowdowns, links and even the home button resulting in landings on other different sites, and new unwanted toolbars appearing within the browser, ads pop up even when users are offline, and some programs refuse to open. It may also cause malfunctioning keyboards where keys fail to respond, such as the Tab key, random error messages, and browser settings being reset to unwanted pages even after changes may have been affected. Other spyware infections lead to strange phone bills where the computer dials unknown numbers.

Pegasus Spyware and Scams:

The spyware Pegasus, built by the Israeli cyber intelligence firm NSO Group, was designed initially to be a sophisticated tool of surveillance, aiding governments in keeping track of criminals and terrorists. Since then, though, its capabilities have been used in several malicious cases, where cybercriminals use it to track journalists, activists, and political dissidents across the world. First discovered in 2016, Pegasus can infect devices through so-called zero-click exploits, meaning users don’t have to interact with anything to install it. When successfully exploited, it gives access to a wide range of private data, messaging services, location information, and even the device’s cameras and microphones. The misuse of this malware has brought widespread controversy in many parts of the world, raising flags regarding serious privacy and human rights abuses following its use by authoritarian regimes​. In March 2024, a US federal judge ruled that NSO Group share the source code with WhatsApp following a 2019 lawsuit filed against the Israeli firm alleging that the spyware maker unlawfully accessed 1,400 mobile devices over a two-week period by distributing malware through WhatsApp’s servers based in the United States.

Recently, Pegasus Spyware has been making headlines with its association to sextortion scams because they have added a new element: sending photos of the victim’s home. This alarming tactic results in panic for the recipient understandable; however, it is important to know that these threats are baseless. This sophisticated phishing scam starts off with a claim of spyware infection to the recipient’s device, these threats often include a photo of the victim’s house as an intimidation tactic. These pictures are often pulled from Google maps. There are variations of verbiage for these scams as well, one popular version is referenced as the ‘Hello Pervert’ scam which has been around for some time. It’s referred to as such because the threat actor will begin the scam with the words “Hello pervert” to grab the recipients attention. They’ll continue to demand a ransom, or they’ll release compromising videos or photos of the victim (that don’t actually exist).

In many cases, the email will claim that they recorded you via your webcam while you were engaging in embarrassing or inappropriate behavior. Despite the intimidating language used, these sextortion scams are a hoax, and rest assured, Pegasus spyware has not actually been hiding on your device. Although a security scan is never going to hurt. You can read more about Pegasus Spyware and the scam here.

Predator Spyware & Zero-Days:

Another notable spyware is Predator. This software was marketed by the cybersecurity firm Intelexxa Consortium. Founded by former Israeli officer Tal Dilian, Intelexxa markets itself as a provider of cyber solutions, most notably for creating the commercial Predator spyware. It is primarily used for mobile platforms (iOS and Android). It gains access to devices using advanced techniques. Unlike normal malware, it can enter your phone or desktop through something as easy as an email or a text message. Predator spyware installs itself on targeted phones using both one-click and zero-click methods. These attack vectors allow it to bypass user interaction entirely in some cases, leveraging system flaws to establish full control. Once it has gained access, it will quietly monitor behind the scenes, tracking GPS locations, looking through photos, listening to your microphone, or even using your camera, all without your knowledge. It exploits vulnerabilities within browsers and gains access via compromised network connections to infiltrate devices silently.

Last year, Predator was carrying out concerning attacks against the European Union (EU), journalists, politicians and victims in the United States and Asia. Between February and June 2023, the social media platforms X (formerly known as Twitter) and Facebook were used to publicly target at least 50 accounts, which included 27 individuals and 23 institutions. In 2022, threat actors leveraged zero-day vulnerabilities in Android to deploy the Predator spyware. These exploits target the key vulnerabilities within the components of Android OS and the Chrome browser, which enable attackers to bypass security mechanisms in fully updated devices. Attackers, allegedly backed by state actors, deployed Predator through network injection and with malicious links, often via SMS or compromised websites. By doing that, Predator could silently install themselves on many devices and access sensitive data, take control of such functions on the device as recording audio, and even add security certificates to extend the attacks. In early 2024, the United States sanctioned Intellexa, placing scrutiny and pressure on the developers and distributors to place more controls on how their products are being used. You can read more about Predator spyware here.

mSpy Spyware Data Breach:

mSpy is a mobile spyware surveillance app marketed to track employees and children. It was launched in 2010 making it one of the longest-running phone spyware applications. It is owned by a Ukraine-based company called Brainstack. These mobile monitoring apps are also known as stalkerware because they give jealous partners the ability to access their victim’s phones remotely. The individual installing mSpy needs physical access to the phone, once installed, it allows for remote view of the phone’s contents in real time. No matter the marketing intention, most spyware is used to monitor people without their consent. Around mid-2024, mSpy experienced a data breach that exposed millions of customer support tickets dating back to 2014. The stolen data showed the customer support system to be Zendesk-powered and showed that mSpy and its operators are very aware of the customers using the software to monitor without the person’s knowledge. Despite mSpy’s popularity, it has mostly remained out of the public eye until now.

Apple iOS Spyware LightSpy:

First discovered in 2020, LightSpy is another sophisticated mobile surveillance tool. It can compromise both Android and iOS devices. However, since iOS malware is rare, it’s most often recognized as iOS spyware. Researchers believe the developers of this LightSpy are threat actors based in China. This spyware was primarily targeting users in Hong Kong. This spyware framework infiltrates a device through “watering hole” attacks. This is when users are tricked into visiting an infected or compromised website that delivers malicious code to their devices, often through exploiting known vulnerabilities. Once the user is compromised, LightSpy will install a modular implant with a plugin-based architecture. The attack chain leverages security flaws in Apple iOS and macOS, including a WebKit exploit (CVE-2020-3837) to drop a disguised Mach-O binary with a “.PNG” extension. This binary retrieves additional payloads from a remote server. A component called FrameworkLoader downloads LightSpy’s Core module and its plugins, which have increased from 12 to 28 in the latest version (7.9.0). Once activated, the Core verifies internet connectivity via Baidu.com and processes commands from FrameworkLoader, using the working directory path /var/containers/Bundle/AppleAppLit/ to create subfolders for logs, databases, and exfiltrated data.

The spyware’s modular architecture enables it to capture extensive personal information, including screenshots, location data, browser history, contact lists, call logs, and SMS messages; exfiltrate data from messaging apps like WeChat, Telegram, and WhatsApp; access iCloud Keychain; record audio; take camera shots; and, most alarmingly, perform destructive actions such as deleting media files, wiping browser history, removing contact information, and potentially preventing a device from booting.

To Takeaway:

Living in a world of digital communication, spyware such as Pegasus, Predator, mSpy and LightSpy acts as a reminder of the vulnerabilities that our devices inherently possess. While origins and capabilities are diverse, all these tools have the threat of erosion of privacy and security in common. Whether it is used by nation-states to surveil, cybercriminals to make money, or individuals for malicious reasons, spyware raises the need for vigilance.

The risk is present for both computers and mobile devices alike. To protect against such types of threats, users should remember to regularly update their software, not open links or applications from unreliable sources, and use enhanced security measures regarding endpoint protection and encrypted communications. This demands the required responsibility of organizations and governments through investments in cybersecurity research and introducing stricter regulations, limiting such technologies to minimal malicious usage. Spyware, however, is not the sole problem of technology. It is a social predicament that needs a collective societal response. In this realm, awareness and being proactive are key to protecting oneself from these invisible threats online.

Leave a Reply

Your email address will not be published. Required fields are marked *