Mexico's Sloppy Hacking Attempts Expose Customers of a $1 Billion Spyware Company

There was a time when very few people had heard of NSO Group, an Israeli spyware maker that sells its wares to government agencies around the world. The company was shrouded in mystery and rumors, such as the fact that it constantly changed names to avoid attracting too much attention.

But in the last nine months, NSO has been in the news a lot. First, because one of its customers in the Middle East targeted a well-known human rights activists with a sophisticated iPhone hacking tool. And now, because its customers in Mexico have been caught trying to hack around 15 journalists, human rights activists, and even public health scientists.

Read more: The 'Million Dollar Dissident' Is a Magnet for Government Spyware

According to a new report, the phishing attempts by NSO's Mexican customers are reckless and at times even sloppy, and they're putting the company that provides the technology behind them under the spotlight.

"It's very reckless, it's very noisy. The targeting was done in a way that it would've been picked up by the targets," said John Scott-Railton, a senior researcher at Citizen Lab, a digital rights research group at the at the University of Toronto's Munk School of Global Affairs.

"It's hard to believe that the people who were doing it were trying to be secret, it's almost as if they were brandishing their access to this," he told Motherboard.

On Monday, Citizen Lab, along with a handful Mexican organizations, released a new report identifying 76 text messages designed to phish several targets and infect them with NSO's sophisticated spyware known as Pegasus. The report follows an investigation by The New York Times, also published on Monday.

"NSO's Pegasus solution is designed for surreptitious monitoring of phones. Getting a victim to click and then remain infected without raising suspicion is a delicate task," the report read. "Contrary to this imperative, the entities operating NSO products in this case were, at best, using the tool for something closer to a digital smash-and-grab operation: the messages were both brazen and extremely obvious."

In some cases, NSO's customer in Mexico, which isn't at this point known, sent more than 20 phishing text messages to the same target, the teenage son of famous Mexican journalist Carmen Aristegui.

Some of the phishing messages analyzed by Citizen Lab pretended to come from the US Embassy in Mexico City, alerting the recipient of urgent visa problems. Others were fake alerts warning of imminent threats, or included sexual taunts. Some were less shocking, such as news tips, or fake phone bills or credit card purchase notifications.

Reached via email, NSO's founder Omri Lavie told Motherboard that "we do not speak to reporters." Lavie deferred questions to the company's PR, which sent a boilerplate statement.

"NSO's mission is to make the world safer, by providing authorized governments with technology that helps them combat terrorism and crime," the emailed statement read. "The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does not operate any of its systems; it is strictly a technology company."

In the last few years, security researchers have exposed several spyware makers that allegedly only sell their products to government agencies. Thanks to these investigations, we've known of cases where customers of the Italian Hacking Team, and the German-British FinFisher abused these technologies. Given the history of security firms like these, and the fact that they supposedly exclusively sell to government authorities, many experts believe NSO's Mexican customers are likely the Mexican government agencies. But we've never seen so many documented cases of abuses like in the case of Mexico and NSO.

We don't know yet whether the public attention will cause any trouble to NSO, which is reportedly for sale for $1 billion. In the meantime, the company has been going to industry events such as the infamous ISS World—also known as the wiretappers' ball—in Prague last week to show off its technology. But, according to a source who attended the event the company didn't go as NSO Group. Instead, it went under the guise of a company called 'Q,' as Reuters reported in 2015.

"One of their sales people jokingly said that they are called Q now so that no one can Google them," the source, who asked to remain anonymous, told Motherboard.

To attract less attention, the company should perhaps rein in its Mexican customers instead.

This story was updated to clarify that the technical reports came along a New York Times investigation.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.