
How we uncovered the identity of popular spyware makers - pnevmatico
https://medium.com/@pnevmatico/who-are-the-hacked-spyware-peddlers-68c114c3c285
======
buro9
> The UK address. 145-157 St John Street, London, EC1V 4PY. According to a BBC
> report, this is the address used by a company which sells its use as a
> registered office address. Because there does not seem to be an obligation
> to check that users of the service are legitimate companies, criminals are
> attracted to it. According to the BBC, the address is in common use among
> fake companies operating "boiler room" fake share scams.

That is the old address for Companies Made Simple:
[http://www.companiesmadesimple.com/](http://www.companiesmadesimple.com/)

They handle all kinds of services for tens of thousands of companies in the
UK, from registration, to registered address and mail forwarding.

I know this, because I used them for my startup to handle the registered
address. This is because official mail has to go somewhere and the address is
a matter of public record. We were in a co-working space at the time and knew
that we would move on when the time came, it's an annoyance to go around
updating the registered address and unprofessional to have a co-working space
as one.

That Companies Made Simple is used by bad actors isn't going to be a surprise,
bad actors use nearly all service providers.

They are the largest provider of registered address services in the UK, it's
not a surprise that the address is in "common use". That ignores the fact that
the number of legitimate businesses that use the address vastly outnumber the
illegitimate.

I dislike Companies Made Simple having used them (they nearly shredded our
investors SEIS certs because they didn't regard them as "official government
communication"), but it's probably defamation to imply that companies using
the address are not legitimate just because some small sample of them are not.

~~~
jsingleton
Would you recommend another formation agent instead?

~~~
buro9
For company formation, do it yourself.

It's a trivially small fee and can be done online with Companies House in a
very short amount of time and they will auto-notify HMRC in the same go.

For mail forwarding and registered office address... I honestly now think you
should only consider one of three options:

1) Your work address if it is a sole-use mailbox and you know you will be
there for more than a year.

2) Your accountants address (with their consent).

3) Your home address.

I would not now use a third party for the registered address, the risks are
too high. There is no junk or spam mail sent to this address, it really is
just actionable and important government communication from Companies House,
HMRC, etc.

~~~
jsingleton
I'd be hesitant to use a home address as it goes on public record. If you rent
then it can be against the terms of the tenancy contract to register a
business at the address. Also you might move and someone else could get your
post and potentially do bad things. Are these reasonable concerns?

~~~
buro9
If you're in short-term rental accommodation (1 year or less) or if you share
a mailbox... then yes, these are concerns.

If you fail to respond to HMRC mail, you can be fined. i.e. missing reminders
about a tax return, or PAYE info.

Both Companies House and HMRC will send authorisation codes to the registered
address, and you can use these to change shareholdings, dissolve a company,
make declarations that are untrue, etc.

You definitely need to trust the registered address a lot, and that trust
needs to be stable.

------
kpcyrd
> After the first shock of seeing iCloud passwords stored in clear text(how
> hard would it be to encrypt them?)

Not going to defend shady businesses, but I dislike this knee jerk reaction
without understanding the actual issue. I've seen software that encrypts
(encrypts, not hashes) passwords for security™, but stores the secret in the
database, too. Sure, technically they didn't store plaintext passwords, but
practically they did.

What you could do to defend the passwords:

* hash them - doesn't work in this case, because it's not an authentication system

* symmetrically encrypt them - useless, the secret would be stored on the compromised server

* asymmetrically encrypt them - works, assuming the private key isn't stored on the server. Therefore, it's not possible to decrypt the passwords from within the application again

~~~
Lancey
Even if you store the secret on the same server it shows some effort went into
the protection of user credentials.

~~~
kpcyrd
You aren't protecting anything, you're playing hide and seek. This isn't how
security works.

------
baffledshrimp
> We decided to sneak a peak. Logging in with the “mobiteam@icloud.com” apple
> ID and the password graciously provided in clear text, we have identified a
> typical QA team account...

This provides the 'break in the case' but it's based on illegal activity. Just
because a company is acting unethically doesn't give researchers a legal
shield. (Especially considering a quick search led me to the probable identity
of the author.)

~~~
joshstrange
I came here to say the same thing. IANAL but it looks like if Apple wanted
(which they probably don't) they could have them charged under the computer
abuse and fraud acts, even if Apple doesn't act the DoJ still can. I can
understand the researcher's desire to follow the trail but in attempting to
unmask the criminal did they themselves not become one in the process? This is
"Ends justify the means" type thinking which is really dangerous (Patriot Act
anyone?).

------
fasteo
Great write-up, even though some enthusiastic conclusions are far from solid.

>>>> the logo similarity convinced us beyond the shadow of a doubt that
Mobisoft LTD is the development company behind mSpy

>>>> Why would mSpy move their data from Amazon ... Incidentally, in September
2014, the FBI has arrested a CEO of another spyware company called Stealth
Genie ... Could the ease with which the US authorities were able to take down
Stealth Genie has caused the Ukrainian company to move to an alternative
infrastructure? We believe that the compelling answer to this question is
obvious. Yes.

~~~
deckar01
Even their graphic designer was in on it ;)

------
chris_wot
I think what would be interesting is to ask Lenovo why they commissioned
Lenovo Browser Guard from a known spyware distributor, Conduit (one of the
biggest and for a time nastiest Malware programs was Search Protect, which
they make).

Proof: here’s a press release from Perion from June 2014 which announced that
they partnered with Lenovo to create Browser Guard:

[http://www.businesswire.com/news/home/20140618005930/en/Peri...](http://www.businesswire.com/news/home/20140618005930/en/Perion-
Partners-Lenovo-Create-Lenovo-Browser-Guard)

And here is a January 2014 press release that shows that Perion acquired
Conduit's ClientConnect Services in 2014

[http://www.businesswire.com/news/home/20140102005313/en/Peri...](http://www.businesswire.com/news/home/20140102005313/en/Perion-
Completes-Acquisition-Conduit%E2%80%99s-ClientConnect-Creating-
Leading#.VWnShlyqpBd)

------
DanielBMarkham
I liked the style and flow of this piece a lot. I sort of felt like I was left
hanging at the end, though. There was no huge reveal or dramatic conclusion,
just a bunch of arm waving and strong language.

I wonder if rewriting this so that the ending leaves more of a mystery might
help the piece. As it is, I got the feeling the author was trying to tell a
story that just wasn't there. Great tone and style, though, and worth the
read. This new brand of "Nerd Detective Novel" is really cool. Would love to
see more of it.

~~~
josephb
Agreed! Nice piece of well written suspense and intrigue in the tech world. If
it's also factual, that's a bonus :-)

------
dkyc
Thanks for the story, it was a nice read. However, the answer is at the
beginning: The author of the software is exactly the guy he claims to be.
Along with photo and an interview in the _Forbes Magazine_.

Yes, they use all kinds of fake companies for whatever purposes, but there's
really no need to entangle it all.

------
chii
It's great that at least some shady businesses are being exposed. However, the
problem is that it's hard to get any public attention on it - they are
relatively small, and it's hard to link any actual damage to these shady
businesses, and even then, the victims are "spread out", and will find it
difficult to litigate.

There's no pressure to stop such businesses, unless law enforcement do their
thing properly. FBI and other gov't agencies have massive resources, why isn't
more put on this sort of thing, instead of spying on the citizens illegally?

------
ipsin
Doesn't logging into an email account with stolen credentials, even a "QA team
account" cross a line?

I understand that spyware makers are not good people, but that doesn't obviate
the laws against this sort of thing.

------
hywel
My money's on SourceForge.

------
jds375
I think the name Pat Baitman is a reference to Patrick Bateman
[http://en.m.wikipedia.org/wiki/Patrick_Bateman](http://en.m.wikipedia.org/wiki/Patrick_Bateman)

------
OrangeTux
> > After the first shock of seeing iCloud passwords stored in clear text(how
> hard would it be to encrypt them?), we have seen something very interesting
> in the file:

I don't understand why that particular developer account caught their eye
while browsing through a 13GB data set.

~~~
nostrebored
"This seemed like an obvious developers’ account, especially with this
information being right at the beginning of the file."

------
travelhead
Instead of 20 pages of investigation, he admits he could have simply gone on
LinkedIn and searched for 'mspy' \- LOL!

------
newuser88273
So this outfit, mSpy, sold to people the capability to track activities on one
(1) other person's smartphone: Less than a nanogoogle! Why the outrage?

