Meta on Thursday revealed it removed a network of more than 40 accounts on Facebook and Instagram operated by an Indian firm called CyberRoot Risk Advisory Private.
In its report, Meta said rather than directly sharing malware on its apps, CyberRoot’s activity manifested primarily in social engineering and phishing, often intended to trick people into giving up their credentials to various online accounts across the internet (e.g., email).
CyberRoot used fake accounts to create fictitious personas tailored to gain trust with the people they targeted around the world. To appear more credible, these personas impersonated journalists, business executives and media personalities.
This group was apparently using a similar playbook as another surveillance-for-hire firm Meta removed in 2021 named BellTroX that appears to have ceased operations on the company’s technologies. According to public reporting, CyberRoot used to support and work with BellTroX in the past, including sharing web infrastructure and even employees.
“In some cases, CyberRoot also created accounts that were nearly identical to accounts connected to their targets like their friends and family members, with only slightly changed usernames, likely in an attempt to trick people into engaging,” Meta mentioned in its report.
As part of their phishing campaigns, Meta says CyberRoot spoofed domains of major email providers, video conferencing and file sharing tools, including Gmail, Zoom, Facebook, Dropbox, Yahoo, OneDrive and targets’ corporate email servers. These domains were used for stealing login credentials to the victims’ online accounts on these services.
“Our investigation found CyberRoot target people around the world, working in a wide range of industries including cosmetic surgery and law firms in Australia, real-estate and investment companies in Russia, private equity firms and pharmaceutical companies in the US, environmental and anti-corruption activists in Angola, gambling entities in the UK, and mining companies in New Zealand,” the report said.
Meta says that CyberRoot was focused on business executives, lawyers, doctors, activists, journalists and members of the clergy in countries like Kazakhstan, Djibouti, Saudi Arabia, South Africa and Iceland.
The Mark Zuckerberg-led company has blocked this group’s domain infrastructure, shared its findings with industry peers and security researchers, and are sharing threat indicators to help inform further research and detection of this malicious activity across the internet.