NSA posing as a popular site is probably common, say experts


The revelations that the U.S. National Security Agency impersonated Facebook in order to spread malware on suspect computers is probably not the only time the agency has masqueraded as a popular site to get data, security experts say.

"I'm sure it already has. This tactic is not only for intelligence use, cybercriminals use the same tactic," said Jeff Bardin, founder of Treadstone 71, a cyberintelligence firm.

(Read more: Edward Snowden speaks via Google at SXSW)

"This news is not surprising at all. You are going to use any tactic to collect information, this is not a new tactic, people may act surprised, but this is nothing new," he said.

According to data recently leaked by Edward Snowden, the NSA lured people into visiting what looked like a normal Facebook page, but was actually "using the social media site as a launching pad to infect a target's computer and exfiltrate files from a hard drive." The information was first reported in The Intercept by Ryan Gallagher and Glenn Greenwald.

Bardin, who is a former Air Force intelligence officer, said that it's also common for cybercriminals to build a website that looks exactly like the target website and make it so a visitor can enter their credentials and be then be transferred into the actual site.

(Read more: An NSA-Proof phone?)

Facebook did not respond to CNBC's request for comment, but company spokesperson Jay Nancarrow, who was cited in The Intercept report, said that "the company had no evidence of this activity." Nancarrow also noted that the NSA could have used this tactic on any website.

"If government agencies indeed have privileged access to network service providers," Nancarrow told The Intercept, "any site running only [unencrypted] HTTP could conceivably have its traffic misdirected."

Facebook CEO Mark Zuckerberg posted a response on, where else, Facebook.

"The US government should be the champion for the internet, not a threat" he wrote. "They need to be much more transparent about what they're doing, or otherwise people will believe the worst. I've called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform."

Facebook implemented HTTPS encryption for its users last year, making users' browsing sessions safer. Many other tech companies, including Google and Yahoo, also use this type of encryption to protect all communication over their servers. But even HTTPS, which greatly improves secure browsing, isn't foolproof, security experts said.

The NSA code named its technique of posing as Facebook "QUANTUMHAND" and began using the method in 2010, according to the report.

"Any website could conceivably face this problem," Bardin said. "There's no end to this."

Mass hacking

Edward Snowden greeted warmly at SXSW

While QUANTUMHAND was meant to target specific people, the report points out that the technique is also integrated into the NSA's automated "TURBINE" system, which is aimed at targeting many systems.

TURBINE is a system that enables the NSA to hack and infect people's computer on a much larger scale because it automates implanting malware by groups, rather than individually. The NSA has already used this system to infiltrate 85,000 to 100,000 computers globally, according to documents cited in the report.

However, there is still no clear answer if the NSA is actually using its TURBINE system to ramp up mass surveillance, said Harley Geiger, senior counsel at the Center for Democracy and Technology.

"The NSA has clearly built this machine, but it's not clear how the NSA is using it," Geiger said.

"If TURBINE can be used for mass hacking then the fact that they have that machine at the ready is a bit troubling," Geiger said.

(

Not only does TURBINE raise serious issues regarding mass surveillance, but if it is actually being used to spread malware on a broad basis, then it could leave infected systems open to attacks by cybercriminals and other third parties, Geiger said.

"We have a situation where we have an agency that knows these security flaws exist and other governments are also using them and it's the Internet users who suffer without knowing about it," he said."

UPDATE: A spokesperson from the NSA responded in an email to shortly after publication.

"Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawfuland appropriate foreign intelligence operations, all of which must be carried outin strict accordance with its authorities," the email said.

"Reports of indiscriminate computer exploitation operations are simply false."

By CNBC's Cadie Thompson. Follow her on Twitter @CadieThompson.