Meta Accuses NSO Group of WhatsApp Spear Phishing, Seeks Contempt After Court Injunction

Meta accused NSO Group of violating a permanent injunction by continuing to target WhatsApp communications with spear phishing and social engineering attempts, and said it had applied to court for NSO to be held in contempt.

“Meta today accused spyware maker NSO Group of violating a court order that barred it from targeting users of WhatsApp”

Ars Technica

WhatsApp said it caught and disrupted the latest NSO-linked campaign after investigating user reports, and Meta said the incidents involved attempts to trick people into clicking on malicious links that drove them to external websites outside of WhatsApp.

Ars Technica

Meta also said it caught NSO creating test accounts and groups on WhatsApp, which it took down, and it published malicious domains as indicators of compromise including ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com.

Meta’s filing comes after a jury decision in early May forced NSO Group to pay damages for attacking users of WhatsApp and other platforms with Pegasus, with damages originally set to US$167 million ($237 million) and later reduced to US$4 million ($5.7 million).

Meta said the campaign it disrupted resembled spyware infections that hit journalists and activists in Jordan from 2019 to 2023, and it described the tactic as trying to “trick people into clicking on malicious links to drive them to external websites outside of WhatsApp.”

In a separate account of the same dispute, The Record from Recorded Future News said WhatsApp accused NSO of deploying spearfishing attacks in violation of an October court order barring the firm from using the messaging app as an attack vector.

BleepingComputer

The Record also reported that WhatsApp said the latest attacks used social engineering techniques to “trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” and that NSO created test accounts and groups that WhatsApp removed.

Meta’s contempt push was framed by a researcher at the University of Toronto’s Citizen Lab, John Scott-Railton, who wrote that “NSO’s own actions make the strongest argument for why they should stay on the Entity list.”

Meta argued that keeping NSO under U.S. restrictions is necessary because “When a malicious company on the US government’s Entity List continues to defy US courts, existing restrictions must remain firmly in place.”

“Meta said Monday that it caught a spearphishing campaign linked to spyware maker NSO Group despite a court injunction, prompting the tech giant to file a contempt-of-court complaint”

CyberScoop

CyberScoop reported that Meta said easing restrictions would undermine U.S. national security and put “American companies and billions of people worldwide who depend on secure communications at risk,” while also noting lawmakers sought information about the federal government’s prospective use of NSO Group tech.

WhatsApp’s public-facing response included technical guidance that end-to-end encryption protects users’ messages and calls from Pegasus and other spyware, along with calls to update apps and operating systems for optimal protection.

In addition, WhatsApp urged users to enable features such as Android’s ‘Advanced Protection’ and iOS’s ‘Lockdown Mode,’ and it said the threat indicators it shared included the domains ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com for people to check whether they were targeted.