Cybercriminals are capitalizing on the infamous reputation of the Pegasus spyware, duping unsuspecting victims on the dark web.
According to a recent investigation by the cybersecurity firm CloudSEK, threat actors are systematically leveraging the Pegasus name to perpetrate a widespread scam, offering randomly generated source codes falsely associated with the potent spyware for exorbitant prices, sometimes exceeding a million dollars.
Dissecting the Scam: Insights from Months of Research
CloudSEK’s report sheds light on the intricate workings of this scam, which emerged shortly after Apple warned about a “mercenary spyware” attack targeting users across 92 countries. The cybersecurity firm’s researchers delved deep into the dark web, analyzing approximately 25,000 posts on platforms like Telegram, many of which claimed to sell authentic Pegasus source code.
Anuj Sharma, the lead investigator and security researcher at CloudSEK, underscored the detrimental impact of this scam, stating:
The misuse of Pegasus’s name, logo, and identity by underground sources has led to significant misinformation about the tool, confusing both experts and the public about its true capabilities and origin. The deliberate misrepresentation complicates the attribution of cyberattacks, making it harder to determine the source and nature of the spyware being used.
Engaging with Potential Sellers: Uncovering Fake Samples and Inflated Prices
CloudSEK researchers went a step further, directly engaging with over 150 potential sellers claiming to offer Pegasus-related services. Through these interactions, they accessed purported Pegasus source code samples, live demonstrations, file structures, and snapshots. However, after analyzing 15 samples and over 30 indicators from various intelligence sources, the researchers concluded that nearly all samples were fraudulent and ineffective.
The report also identified six instances of fake Pegasus HVNC (Hidden Virtual Network Computing) samples distributed on the dark web between May 2022 and January 2024. Moreover, the scam extended to code-sharing platforms on the surface web, where scammers disseminated their own randomly generated source codes, falsely associating them with the Pegasus spyware.
In one particularly brazen case, a group named Deanon ClubV7 announced on April 5 that they had obtained legitimate access to Pegasus and were offering permanent access for a staggering fee of $1.5 million. The group claimed to be the first to secure access to Pegasus and boasted about selling four accesses within just two days, raking in a total of $6 million.
Combating the Scam: Employee Awareness and Strict Access Controls
To combat this widespread scam, CloudSEK emphasizes the importance of employee awareness and implementing strict access controls. Sharma recommends providing regular updates and alerts about the latest scam tactics involving Pegasus and similar high-profile names, as well as implementing network monitoring to identify unusual activity that might indicate employees accessing the dark web or IRC platforms.
Strict access controls should be implemented to limit and monitor employees’ ability to visit potentially dangerous sites or download unauthorized software, reducing the risk of falling victim to such scams.