• 03.12.14

NSA And British Intelligence Impersonating Facebook, Hijacking Adbots To Infect Millions Of Computers With Malware

New Edward Snowden revelations indicate the NSA is creating fake Facebook servers and piggybacking adbots to monitor millions of Internet users worldwide.

NSA And British Intelligence Impersonating Facebook, Hijacking Adbots To Infect Millions Of Computers With Malware
[Image: Flickr user pHotosHo0x]

Newly released documents indicate that the NSA is masquerading as Facebook to hijack millions of computers worldwide with spyware… and that the surveillance agency is also piggybacking on commonly used adbots to infect computers worldwide with programs that let spies activate webcams and microphones.


The papers and PowerPoints, obtained by Edward Snowden and reported by Ryan Gallagher and Glenn Greenwald in The Intercept, date from 2009; it’s a safe bet that NSA Internet surveillance capabilities have even become more advanced since then. For American readers who might not worry about the NSA listening in on their computers’ microphones, it’s also a safe bet that rival states may have similar capabilities.

According to the Intercept report, the NSA is using automated systems that drastically reduce the level of human oversight needed to spy on a target’s computer. Rather than hunting for specific people to conduct surveillance on, the teams behind the intelligence agency’s TURBINE system conduct dragnets that compromise millions of computers simultaneously. NSA agents then parse that group of millions of computers to find the information they are looking for.

A second document posted to the Intercept today indicates that the NSA partially decides on which people to target abroad based on keywords in their webmail; excerpts from the document, much of which is redacted, say that a project called DRAGGABLEKITTEN (yes, draggablekitten) conducts analytics on keywords obtained through interceptions of bulk Hotmail and Yahoo emails. Shockingly, the NSA paper says 50% of Hotmail and 90% of Yahoo sessions have the necessary keywords within a single packet to fall within the NSA dragnet.

One system used by the NSA, called QUANTUMHAND, consists of a fake Facebook server set up by the NSA. Greenwald and Gallagher write that “when a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive.“ The Intercept posted a top secret animation to Vimeo illustrating the process:

The report also indicates that the NSA is piggybacking on two types of common browser adware, Simbar and ShopperReports, to conduct surveillance of individuals both inside and outside of the U.S. Both Simbar and ShopperReports are commonly used to infect Internet-attached computers with spam advertising; except, it seems, the NSA’s engineers and systems experts are savvy enough to subvert adware for mass surveillance of the world’s Internet users.

Nicholas Weaver, an expert on network security at the International Computer Science Institute, told Fast Company via email that “The ad networks have built a global network of user monitoring, it’s natural that the NSA not only piggybacks off this monitoring but uses it to guide attacks. Especially since behind the scenes the NSA also does user-linking, which allows them to fully deanonymize supposedly ‘anonymous’ advertisement cookies.” Weaver wrote about the technical aspects of how this is done months ago for Wired.


Weaver also added that “Many of (the NSA and British intelligence’s) wiretaps are not passive monitors but active tools for exploitation: If one of these wiretaps sees a request from an identified target that they wish to exploit, the NSA can ‘shoot’ an attack at their target. They have been using this widely, to exploit ally as well as enemy. Now that this is known, it is de-facto permission for everyone else to do the same thing. The limits for other countries is simply the vantage points of where they can install their own weaponized wiretaps.”

In short: If America and the British can do it, so can China, Russia, Israel, India, Pakistan, Venezuela, Brazil, or any other country one can imagine. While that may not have been the result the NSA foresaw when they began vacuuming the web for mass surveillance, it is what the world is likely to end up with.

Correction: An earlier version of this article misidentified the International Computer Science Institute as a UC Berkeley-affiliated institution. Although the ICSI shares close ties with Berkeley (and uses a UC Berkeley domain), it is not formally affiliated with the school.