Spyware slinger NSO to Facebook: Pretty funny you're suing us in California when we have no US presence and use no American IT services...

Malware maker urges judge to dump lawsuit over WhatsApp phone snooping

Israeli spyware maker NSO Group has rubbished Facebook's claim it can be sued in California because it allegedly uses American IT services and has a business presence in the US.

Last October, Facebook and its WhatsApp subsidiary sued the software developer and its affiliate Q Cyber Technologies in California, claiming that the firms made, distributed, and operated surveillance software known as Pegasus that remotely infects, hijacks, and extracts data from the smartphones of WhatsApp users.

NSO Group then filed a motion to dismiss the hacking lawsuit, arguing that it can't be sued in the US: it has immunity because its customers are governments. The social network last week responded by insisting the concept of sovereign immunity doesn't apply to contractors working for foreign governments and NSO's software relied on servers provided by Los Angeles-based telecom service provider QuadraNet.

NSO's latest legal salvo, filed on Thursday this week in a California court, challenges these claims. A spokesperson for the biz said its court submission, in conjunction with a sworn statement from NSO Group CEO Shalev Hulio, should dispel "several misleading assertions" made by Facebook's lawyers.

“One of these assertions relates to QuadraNet, a California-based telecommunications company," NSO's spokesperson said in an emailed statement. "As we have argued to the court, neither NSO Group nor Q Cyber ever had a contractual arrangement with QuadraNet."

Hulio in his statement said, "neither defendant [NSO or Q Cyber] has ever entered into any contract with QuadraNet."

WhatsApp security manager Claudiu Gheorghe in a previous filing identified 720 malicious attacks on WhatsApp from the IP address, a server in California provided by QuadraNet and allegedly run by NSO.

QuadraNet did not immediately respond to The Register's request to clarify the account holder for that IP address.

NSO's spokesperson reiterated the claim that the biz does not operate its Pegasus software for its clients. And its legal filing says as much: "If Pegasus messages did pass through QuadraNet servers, they would have been sent by NSO’s customers, not NSO."


Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music


NSO's latest filing insists Facebook wrongly dismissed the possibility of immunity. Though the immunity statute applies only to governments, NSO claims it "is entitled to derivative sovereign immunity," based on a 2000 case (Butters v. Vance) in which the Fourth Circuit held that a private agent of Saudi Arabia was derivatively immune.

"[Facebook and WhatsApp] challenge the alleged use of Pegasus to message WhatsApp’s users, which was done entirely by foreign sovereigns," the NSO paperwork states. "Plaintiffs’ theory would punish people who offer goods and services to the government when the cause of action is based on the government’s use of the product. But suppliers are not stripped of derivative immunity for building tools, nor for helping governments maintain them so that they can be used when needed."

The snoop-ware maker also insists it can't have violated America's Computer Fraud and Abuse Act because it had authorization to send messages via WhatsApp – messages which just so happened to be bobby-trapped to install its Pegasus malware on victims' devices. It claims the CFAA applies only to unauthorized access, not to malicious content.

"Plaintiffs assert that NSO formatted WhatsApp messages to hide data WhatsApp did not want users to send," the filing says. "But NSO was authorized to send messages, so violating WhatsApp’s limits on the contents of those messages is not accessing WhatsApp’s servers without authorization."

The biz further contends that any bypassing of technical restrictions would not qualify as a CFAA violation, likening its actions to the way hiQ Labs bypassed technical restrictions LinkedIn put in place to stop web scraping. The Ninth Circuit last year ruled that web scraping does not meet the CFAA definition of unauthorized access.

"[A]ll NSO allegedly did was send the wrong kind of message over WhatsApp’s servers. That is not a CFAA violation," the filing states.

As to Facebook's claim that NSO "access[ed] server-side call settings and alter[ed] the technical architecture routing calls through its servers," that shouldn't even be considered because it was not mentioned in the initial complaint, the spyware biz's filing insists.

What's more, Facebook had claimed NSO "had a marketing and sales arm in the United States called WestBridge Technologies, Inc," which NSO rejects. The Israel-based biz maintains that it doesn't exercise control over Maryland-based WestBridge, a sales and marketing outfit that sells to US government agencies. Also none of the current directors of NSO or Q Cyber reside in the US.

So, in short, NSO says it has no US presence – no management, no sales arm in America – and uses no US IT services, so how can it be sued in the US state of California?

Facebook declined to comment on the ongoing lawsuit. ®

Narrower topics

Other stories you might like

  • Meta agrees to tweak ad system after US govt brands it discriminatory
    And pay the tiniest of fines, too

    Facebook parent Meta has settled a complaint brought by the US government, which alleged the internet giant's machine-learning algorithms broke the law by blocking certain users from seeing online real-estate adverts based on their nationality, race, religion, sex, and marital status.

    Specifically, Meta violated America's Fair Housing Act, which protects people looking to buy or rent properties from discrimination, it was claimed; it is illegal for homeowners to refuse to sell or rent their houses or advertise homes to specific demographics, and to evict tenants based on their demographics.

    This week, prosecutors sued Meta in New York City, alleging the mega-corp's algorithms discriminated against users on Facebook by unfairly targeting people with housing ads based on their "race, color, religion, sex, disability, familial status, and national origin."

    Continue reading
  • Metaverse progress update: Some VR headset prototypes nowhere near shipping
    But when it does work, bet you'll fall over yourselves to blow ten large on designer clobber for your avy

    Facebook owner Meta's pivot to the metaverse is drawing significant amounts of resources: not just billions in case, but time. The tech giant has demonstrated some prototype virtual-reality headsets that aren't close to shipping and highlight some of the challenges that must be overcome.

    The metaverse is CEO Mark Zuckerberg's grand idea of connected virtual worlds in which people can interact, play, shop, and work. For instance, inhabitants will be able to create avatars to represent themselves, wearing clothes bought using actual money – with designer gear going for five figures.

    Apropos of nothing, Meta COO Sheryl Sandberg is leaving the biz.

    Continue reading
  • Heineken says there’s no free beer, warns of phishing scam
    WhatsApp messages possibly the worst Father's Day present in the world

    There's no such thing as free beer for Father's Day — at least not from Heineken. The brewing giant confirmed that a contest circulating on WhatsApp, which promises a chance to win one of 5,000 coolers full of green-bottled lager, is a frothy fraud.

    "This is a scam. Thank you for highlighting it to us. Please don't click on links or forward any messages. Many thanks," the beermaker said in a tweet.

    The phony WhatsApp giveaway includes an image of a cooler of 18 Heinekens and a link to a website purporting to run the giveaway. That page asks visitors vying to bag free booze for their personal information, such as names, email addresses, and phone numbers, which is all collected by miscreants.

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Meta to squeeze money from WhatsApp with Cloud API for businesses
    How to make a free messaging platform bought for $22 billion profitable

    At Meta's first Conversations keynote yesterday, the company announced the WhatsApp Cloud API, aimed at improving the customer service experience for businesses of all sizes.

    Meta already has the WhatsApp Business API, the first revenue-generating enterprise product for the otherwise free messaging app, where companies pay WhatsApp on a per-message basis and can use the platform to direct customer communications to other lines like SMS, email, other apps, and more.

    It's basically another online presence where enterprises can set up shop to make it easier for customers to get in touch. But the WhatsApp Business API is on-premises and would normally need a solutions provider like Twilio to facilitate back-end integration.

    Continue reading
  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading

Biting the hand that feeds IT © 1998–2022