The shocking announcement comes directly from Facebook on the Meta blog: almost 50 thousand users have been spied on by surveillance companies . In the last few days, several accounts have received a notice from the social network asking them to activate two-factor authentication (if not yet active) and confirm their data in order to unlock the account. Affixed by Facebook itself, the block served to protect users targeted in recent months.
What is surveillance-for-hire ?
Surveillance-for-hire is a real business sector made up of companies offering services and software to spy on users and accounts. A sort of private investigators who have no qualms about who is requesting the service: companies, in fact, collaborate both with governments and with independent and private groups. Companies do not worry about infringing the rights of those affected : their only purpose is to offer a service, regardless of the purpose.
This type of surveillance, as you can read from Meta's blog post , is divided into three phases: recognition , involvement and exploitation . A real chain of attack, often carried out by different companies: some only deal with one of these three phases, specializing in it.
The phases of surveillance
During the recognition phase, the "mercenaries" profile the person by collecting all the information they can about him, often in an automated manner. Social networks, blogs, articles, but also platforms such as Wikipedia are the target of software to collect user data. Using fake accounts, the companies take care of obtaining all possible information about the victim, starting with “likes”, participation in events, friends and groups they belong to.
The second phase, engagement , aims to establish a connection with the user or with people close to him , in order to gain their trust and bring them closer. The aim is to prepare the ground for the exploitation phase: building a "bond" with the victim will then make it easier to send him emails or messages with links or files to download containing a malicious payload. The engagement phase uses social engineering techniques to lead the user to take a misstep and provide valuable information or download malware.
The exploitation phase strongly depends on the success of the previous one . If the attacker manages to have the user download a compromised file or extract credentials from him, he is able to establish a digital connection with the victim, definitively compromising their security. Once they gain control of one or more user's devices or accounts, attackers can learn about and manipulate every aspect of the victim's life .
Meta: thousands of "under surveillance" users on Facebook
VIPs, journalists, politicians, activists but also "ordinary" people: the victims of espionage were many and varied. Facebook-Meta explained that it had "overseen surveillance" for several months , identifying seven companies around the world that actively offered these services. These service providers are mostly from China, Israel, India and North Macedonia.
Facebook has warned users of this invasion of privacy, informing them that they have potentially been under surveillance by attackers. The companies, by collecting data on certain accounts, were preparing to launch social engineering attacks against thousands of victims; according to Facebook some may have already been put into practice in the last period.
Zuckerberg's company has already banned the attackers' accounts from its social networks ; meanwhile, it asked users in the crosshairs to turn on two-factor authentication. Even those who had already activated it received the security warning, aimed at verifying that the account was actually protected.
However, Facebook recommends paying attention to friend requests and messages, and only accepting who we are sure we know. In addition to this, the rule is always not to click on suspicious links or download files of which we do not know the origin. In addition, it is always good to limit the public information of your social profiles , hiding, where possible, the list of friends, your activities and personal data.