As part of its efforts to spy on millions of computers worldwide, the National Security Agency (NSA) impersonated the social network giant Facebook to trick targets into downloading malicious code.
According to a report by whistleblower Edward Snowden, NSA has used automated systems to infect user computers with malware since 2010. The NSA has been using a program codenamed TURBINE to contaminate computers and networks with malware capable of spying on users.
NSA has deployed 85,000 to 100,000 of this malware worldwide. NSA disguises itself as a fake Facebook server to perform "man-in-the-middle" (MITM) strategy attacks and spread the malware. The Intercept was the first in a series of publications created by Pierre Omidyar's First Look Media.
When the malware infects a target's computer, it extracts files from the hard drive. It can also be programmed to covertly record audio from the computer's microphone and take snapshots with its webcam. By infiltrating the system, NSA is also able to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.
The Facebook trick was called QUANTUMHAND by the NSA, and was initially tested on "about a dozen targets" before being launched on a larger scale in 2010, the documents show. These particular tactics that apparently once only reserved for a small number of difficult targets, has recently been expanded so that these malware mines around the internet. These "implants" can scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.
And by using the TURBINE program, documents reveal, NSA's Tailor Access Operation members (TAO) can tap or destroy computers on a massive scale.
The documents also indicate that some of these malwares disable targets' ability to use encryption software to mask internet activity or send emails privately. And to make things worse, this type of spying also weakens the computer's security systems, immediately making any NSA's target vulnerable to third-party attacks. This is what the NSA documents call its "Owning the Net" program.
And with the fact that Facebook has Like buttons scattered across the entire internet, the probability that the NSA has succeeded in planting its malware increases significantly.
NSA's Facebook targeting is reportedly a response to the declining success of other malware injection techniques. Previous techniques include the use of spam emails that trick targets into clicking a malicious link.
"If this report is accurate, the NSA is acting like a spambot," said Harley Geiger, senior counsel at the Center for Democracy & Technology. "The use of malware implants should be targeted against specific threats in tightly controlled situations, but this kind of mass automated surveillance would put countless internet users at risk."
However, Facebook denied any knowledge of the NSA's malware infection program, and said that its system is protected for that kind of attack so it's no longer possible for the NSA or hackers to attack users that way. But the company also suggested that, if the allegations are true, other social networks could also have been compromised.
"We have no evidence of this alleged activity," said a Facebook spokesman. "In any case, this method of network level disruption does not work for traffic carried over HTTPS, which Facebook finished integrating by default last year."
"If government agencies indeed have privileged access to network service providers, any site running only HTTP could conceivably have its traffic misdirected."
Facebook CEO and co-founder, Mark Zuckerberg, and other major tech CEOs have called on the Obama administration to be more transparent about spying efforts. Zuckerberg said he vented about his concerns in a phone call to the president.
"When our engineers work tirelessly to improve security, we imagine we're protecting you against criminals, not our own government.," Zuckerberg said.
NSA has also allegedly posed as Google to gain access to user data. The documents revealed that the NSA uses MITM, as one of its first attacks, against Brazil's state-owned oil company, Petrobras, stating that information was also intercepted in the same way from Google’s servers.
MITM attacks are risky. Google Chrome, for example, keeps a separate list of the public keys used for Google's sites. And the browser will alert Google if it detects any attempts to forge these sites. But that's only if someone was looking for a warning sign. It could also be that the NSA's system did not trigger off any alarms at all.
Google has been increasing its efforts to stop NSA's data gathering. In a statement, Google has said, "as for recent reports that the U.S. government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide our user data to governments only in accordance with the law."
The NSA declined to answer specific questions about this project. "As the President made clear on 17 January 2014," the agency said in a statement, "signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes."