{"id":13261,"date":"2018-09-04T10:17:03","date_gmt":"2018-09-04T18:17:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/09\/04\/news-7028\/"},"modified":"2018-09-04T10:17:03","modified_gmt":"2018-09-04T18:17:03","slug":"news-7028","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/09\/04\/news-7028\/","title":{"rendered":"For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Tue, 04 Sep 2018 17:22:41 +0000<\/strong><\/p>\n

mSpy<\/strong>, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.<\/p>\n

Less than a week ago, security researcher Nitish Shah<\/strong><\/a> directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.<\/p>\n

\"\"<\/a><\/p>\n

A list of data points that can be slurped from a mobile device that is secretly running mSpy’s software.<\/p>\n<\/div>\n

Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.<\/p>\n

In addition, the database included the Apple iCloud<\/strong> username and authentication token of mobile devices running mSpy, and what appear to be references to iCloud backup files. Anyone who stumbled upon this database also would have been able to browse the Whatsapp<\/strong> and Facebook<\/strong> messages uploaded from mobile devices equipped with mSpy.<\/p>\n

\"\"<\/a><\/p>\n

Usernames, passwords, text messages and loads of other more personal details were leaked from mobile devices running mSpy.<\/p>\n<\/div>\n

Other records exposed included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid. Also in the data set were mSpy user logs — including the browser and Internet address information of people visiting the mSpy Web site.<\/p>\n

Shah said when he tried to alert mSpy of his findings, the company’s support personnel ignored him.<\/p>\n

“I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security,” Shah said.<\/p>\n

KrebsOnSecurity alerted mSpy about the exposed database on Aug. 30. This morning I received an email from mSpy’s chief security officer, who gave only his first name, “Andrew.”<\/p>\n

“We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure,” Andrew wrote. “All our customers\u2019 accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers\u2019 emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.”<\/p>\n

Some of those “points of access” were mine. In fact, because mSpy’s Web site access logs were leaked I could view evidence of my own activity on their site in real-time via the exposed database, as could Shah of his own poking around.<\/p>\n

\"\"<\/a><\/p>\n

A screen shot of the exposed database. The records shown here are non-sensitive “debug” logs.<\/p>\n<\/div>\n

<\/span><\/p>\n

WHO IS MSPY?<\/h4>\n

mSpy has a history of failing to protect data about its customers and — just as critically — data secretly collected from mobile devices being spied upon by its software. In May 2015, KrebsOnSecurity broke the news that mSpy had been hacked and its customer data posted to the Dark Web<\/a>.<\/p>\n

At the time, mSpy initially denied suffering a breach for more than a week<\/a>, even as many of its paying customers confirmed that their information was included in the mSpy database uploaded to the Dark Web. mSpy later acknowledged a breach to the BBC<\/strong>, saying it had been the victim of a “predatory attack” by blackmailers, and that the company had not given in to demands for money.<\/p>\n

mSpy pledged to redouble its security efforts in the wake of the 2015 breach. But more than two weeks after news of the 2015 mSpy breach broke, the company still had not disabled links to countless screenshots on its servers<\/a> that were taken from mobile devices running mSpy.<\/p>\n

\"\"<\/a><\/p>\n

Mspy users can track Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of everything the target does with his or her phone.<\/p>\n<\/div>\n

It\u2019s unclear exactly where mSpy is based; the company\u2019s Web site suggests it has offices in the United States, Germany and the United Kingdom, although the firm does not appear to list an official physical address. However, according to historic Web site registration records, the company is tied to a now-defunct firm called\u00a0MTechnology LTD<\/strong>\u00a0out of the United Kingdom.<\/span><\/p>\n

Documents obtained from\u00a0Companies House<\/strong>, an official register of corporations in the U.K., indicate that the two founding members of the company are self-described programmers\u00a0Aleksey Fedorchuk<\/strong>\u00a0and\u00a0Pavel Daletski<\/strong>. Those\u00a0records<\/a>\u00a0(PDF) indicate that Daletski is a British citizen, and that Mr. Fedorchuk is from Russia. Neither men could be reached for comment.<\/p>\n

Court documents<\/a>\u00a0(PDF) obtained from the U.S. District Court in Jacksonville, Fla. regarding a trademark dispute involving mSpy and Daletski state that mSpy has a U.S.-based address of 800 West El Camino Real, in Mountain View, Calif. Those same court documents indicate that Daletski is a director at a firm based in the Seychelles called\u00a0Bitex Group LTD.\u00a0<\/strong>Interestingly, that lawsuit was brought by\u00a0Retina-X Studios<\/strong>, an mSpy competitor based in Jacksonville, Fla. that makes a product called\u00a0MobileSpy<\/strong>.<\/p>\n

The latest mSpy security lapse comes days after a hacker reportedly broke into the servers of TheTruthSpy<\/strong><\/a> — another mobile spyware-as-a-service company — and stole logins, audio recordings, pictures and text messages from mobile devices running the software.<\/p>\n

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities\u00a0arrested<\/a>\u00a0a 31-year-old\u00a0Hammad Akbar<\/strong>, the CEO of a Lahore-based company that makes a spyware app called StealthGenie<\/strong>.\u00a0The FBI noted\u00a0that while the company advertised StealthGenie\u2019s use for \u201cmonitoring employees and loved ones such as children,\u201d the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.<\/p>\n

\u201cAdvertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,\u201d\u00a0U.S. Attorney Dana Boente<\/strong>\u00a0said in a press release tied to Akbar\u2019s indictment.<\/p>\n

Akbar\u00a0pleaded guilty<\/a>\u00a0to the charges in November 2014, and according to the Justice Department he is \u201cthe first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim\u2019s confidential communications.\u201d<\/p>\n

A public relations pitch from mSpy\u00a0to KrebsOnSecurity in March 2015 stated that approximately 40 percent of the company\u2019s users are parents interested in keeping tabs on their kids. Assuming that is a true statement, it\u2019s ironic that so many parents may now have unwittingly\u00a0exposed their kids to predators, bullies and other ne\u2019er-do-wells thanks to this latest security debacle at mSpy.<\/p>\n

As I wrote in a previous story about mSpy, I hope it\u2019s clear that it is foolhardy to place any trust or confidence in a company whose reason for existence is secretly spying on people. Alas, the only customers who can truly \u201ctrust\u201d a company like this are those who don’t care about the privacy and security of the device owner being spied upon.<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Tue, 04 Sep 2018 17:22:41 +0000<\/strong><\/p>\n

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware. Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[19392,14414,11740,3589,8826,19393,19394,10440],"class_list":["post-13261","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-apple-icloud","tag-bbc","tag-data-breaches","tag-facebook","tag-iphone","tag-mspy-breach","tag-nitish-shah","tag-whatsapp"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13261"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13261\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13261"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}