Whistleblower claims NSO offered 'bags of cash' for access to US phone networks

Snoopware maker suggests remarks made 'in jest' as congressman refers allegations to prosecutors

Updated A whistleblower's allegations about spyware maker NSO Group should be investigated by American prosecutors, US House Rep Ted Lieu (D-CA) has said.

The informant claimed senior NSO executives offered "bags of cash" to California-based telecoms security and monitoring outfit Mobileum to assist in its surveillance work, according to the Washington Post on Tuesday.

Specifically, it's alleged NSO wanted to gain, with Mobileum's help, Signaling System 7-level access to US cellular networks, a position that can be abused to determine a cellphone's location, redirect and read its incoming text messages, snoop on calls, and more. SS7 is the glue between telecommunications providers, and subverting it opens up a wealth of opportunities for spies and miscreants.

Gerry Miller, who spent over six years at Mobileum and rose to veep of network security and client solutions, claimed that in August 2017, when asked how Mobileum would get paid, NSO co-founder Omri Lavie said: “We drop bags of cash at your office.”

“No business was undertaken with Mobileum,” NSO said in a statement. “Mr Lavie has no recollection of using the phrase ‘bags of cash’, and believes he did not do so. However if those words were used, they will have been entirely in jest.”

Also apparently on the call was Eran Gorev of private-equity biz Francisco Partners, which had a majority stake in NSO, before reportedly selling the biz back to the founders in 2019. Gorev offered a very similar statement.

“If such a meeting actually took place, I would absolutely never make a comment like this," he said. "If someone else made that comment, it would clearly have been made in jest and a colloquial expression or cultural misunderstanding.”

Both Mobileum and NSO Group denied they had any kind of business relationship.

Miller complained about NSO's intentions to the FBI's whistleblower tip line in 2017 and, after receiving no response, he filed a more detailed report to the Dept of Justice, copying in the FCC and SEC. He also shared his report with Congressman Lieu, a Democratic member of the US House of Representatives who has a computer science degree.

"The NSO Group, which sells phone hacking software, tried to gain access to cellular networks by offering 'bags of cash', according to a whistleblower," Lieu tweeted Tuesday, adding that he has asked US prosecutors to look into the claims.

"I made a criminal referral to the Justice Dept," he noted. Lieu also said "no one's phone is safe," due to the insecurities of the SS7 protocol.

It's certainly not a good time for NSO. In November, the US Department of Commerce put the Israeli software maker on Uncle Sam's Entity List, making it all but impossible for the outfit to legally do business with American companies, following revelations that its Pegasus spyware was being used to snoop on people. Legislators are calling for further sanctions against the surveillance company as well.

Meanwhile, weeks after the Dept of Commerce took action, Apple sued what it called the "amoral 21st century mercenaries" at NSO for infecting iPhones and breaking Cupertino's terms and conditions. A similar lawsuit from Meta over WhatsApp hacking is also going through the courts. ®

Updated to add

"Mobileum does not have - and has never had - any business relationship with NSO Group," a Mobileum spokesperson told The Register.

"Mobileum does not have any direct access to the customer’s network and is unable to provide any kind of access, including SS7 access, to any third party. Mobileum’s products work towards the benefit of the operator, and not to their or their subscriber’s detriment."

Narrower topics

Other stories you might like

  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • Trio accused of selling $88m of pirated Avaya licenses
    Rogue insider generated keys, resold them to blow the cash on gold, crypto, and more, prosecutors say

    Three people accused of selling pirate software licenses worth more than $88 million have been charged with fraud.

    The software in question is built and sold by US-based Avaya, which provides, among other things, a telephone system called IP Office to small and medium-sized businesses. To add phones and enable features such as voicemail, customers buy the necessary software licenses from an Avaya reseller or distributor. These licenses are generated by the vendor, and once installed, the features are activated.

    In charges unsealed on Tuesday, it is alleged Brad Pearce, a 46-year-old long-time Avaya customer service worker, used his system administrator access to generate license keys tens of millions of dollars without permission. Each license could sell for $100 to thousands of dollars.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Feds raid dark web market selling data on 24 million Americans
    SSNDOB sold email addresses, passwords, credit card numbers, SSNs and more

    US law enforcement has shut down another dark web market, seizing and dismantling SSNDOB, a site dealing in stolen personal information.

    Led by the IRS' criminal investigation division, the DOJ, and the FBI, the investigation gained control of four of SSNDOB's domains, hobbling its ability to generate cash. The agents said it raked in more than $19 million since coming online in 2015.

    Continue reading

Biting the hand that feeds IT © 1998–2022