What happened
Meta said it detected and blocked spear-phishing attempts on WhatsApp linked to the Israeli spyware vendor NSO Group. The company is also filing a federal court contempt order, arguing that NSO violated a permanent injunction that bars it from targeting WhatsApp and its users.
How the attempt worked
According to Meta, the activity tried to push targets off the app and onto malicious sites—consistent with earlier reports of NSO-linked 1‑click phishing.
“They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO,” Meta said.
Meta also said it caught NSO Group creating test accounts and groups on WhatsApp. Those have been removed.
Domains linked to the activity
- fr24cast[.]com
- ghazacast[.]com
- ikhwancast[.]com
Why it matters
This action follows a U.S. court decision last year that fined NSO Group about $168 million in damages for violating U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware against more than 1,400 people worldwide. In 2021, NSO was also added to the U.S. Commerce Department’s blocklist for activities deemed “contrary to the national security or foreign policy interests of the United States.”
What WhatsApp users can do
“As always, WhatsApp users’ personal messages and calls remain protected with default end-to-end encryption,” Meta said. “We encourage people to keep their apps and devices up to date and report suspicious activity so we can quickly investigate and take action.”
If you think you may be at higher risk because of your role or work, consider turning on WhatsApp’s strict account settings. This reduces the attack surface by tightening defaults.
- Two-step verification is turned on.
- Link previews are turned off.
- Last seen and online, profile photo, About details, and profile links are locked to contacts only or to a pre-established list of people.
- Only known contacts or a pre-established list of people can be added to groups.
“Strict account settings are an advanced security feature that turns on privacy and security controls to help protect accounts from sophisticated cyber attacks. Strict account settings are an optional, lockdown-style security feature that, when enabled, reduces your vulnerability to cyber attack by limiting functionality.”
Short version: keep software current, treat unexpected links with caution, lock down what you can. Small steps lower risk, especially when attackers aim for a single click.
Reference: View article