An investigative journalist team found a fake Facebook login page used by the authors of the Pegasus mobile spyware, NSO Group, to lure victims in. Facebook is in the process of suing the group over its alleged use of a zero-day exploit for Facebook-owned WhatsApp. Facebook also claims to have evidence that the group launched some of its WhatsApp hacks last year from cloud infrastructure hosted in the U.S.: Court documents filed by Facebook in April detailing alleged specific IP addresses used by NSO. The IP address provided to Motherboard related to a one-click installation of Pegasus.
Source: https://threatpost.com/nso-group-impersonates-facebook-security/156021/