May 27, 2015

Mobile spyware maker mSpy has expended a great deal of energy denying and then later downplaying a breach involving data stolen from tens of thousands of mobile devices running its software. Unfortunately for victims of this breach, mSpy’s lackadaisical response has left millions of screenshots taken from those devices wide open and exposed to the Internet via its own Web site.

mspylogoThe mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.

The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.

For example, here’s a fairly benign screen shot reference that was included in the leaked files:

“ref”: “dav/a00/003/628/359/2015/02/24/cGWmz4OjqoyImZQh-25493887.jpg.open

Adding the base URL to that URL stem produces a screen shot showing an mSpy-enabled device browsing seberizeni.cz, a Czech news site. Disturbingly, it is trivial to identify the owners of many mSpy-enabled devices merely based on the information available in the bookmarks bar or Web browser windows shown in many of these screen shots.

According to mSpy, however, this is not a big deal. Almost a week after I requested comment from mSpy, a person named Amelie Ross responded with a somewhat nonsensical statement that essentially said the whole incident was dramatically exaggerated and aggravated by the media.

“Data logs do not include the information of the account user, therefore cannot be tracked back to data owner,” Ross said, ignoring the fact that I was able to identify and contact many of the company’s customers. “This case been a hard lesson and will only serve as an incentive for perfecting our service further. We have communicated with our customers whose data could have been stolen, described them a situation and they perceived it with a total understanding.”

Reached today about the exposed screenshots, mSpy reiterated its claim the data cannot be traced back to the data owner, and then acknowledged that it was reworking its system to render the exposed screenshot links unusable.

“Currently we’re working on re-hashing of the exposed data, which will result in the leaked links becoming inoperable,” Ross wrote. “We expect it to be completed within 24 hours.”

A number of journalists following the mSpy breach story have asked if I knew where the company was based, noting that authorities from several countries are now investigating the breach. As I mentioned in my original story on the break-in, the founders of the company variously claimed UK and Russian nationality, but it remains unclear where the company is physically located. However, I’m leaning toward Russia or another Eastern European country. Ross’s response to my initial email includes a forwarded copy of my May 9 message to the main media@mspy.com mailbox, which was prefaced by the the timestamp: “09.05.2015 17:55, brian krebs пишет:” That last word, пишет, is Russian for “wrote”. According to a review of the email headers, the response was sent from a laptop in Ukraine on the Eastern European summer time zone.

I hope it’s clear that it’s foolhardy to place any trust or confidence in a company whose reason for existence is secretly spying on people. Alas, the only customers who can truly “trust” a company like this are those who are indifferent to the privacy and security of the device owner being spied upon.


20 thoughts on “More Evidence of mSpy Apathy Over Breach

    1. Ivana Trump

      You can’t even spell “yacht”, and I took it in the divorce.

      1. Donald Trump's Hair

        Its my fault, my bad. (Donald Trump’s bad spelling not the mSpy stuff)

        1. Tori Spelling

          Spelling is mine, and ew! that hair!

        2. Tori Spelling

          Does my Spelling trump his hair?
          Or is it the other way round?

  1. Lindy

    It’s pretty clear Amlie Ross, if that is her real name, is not a native English speaker judging from her sentence structure and vocabulary.
    And it appears that Donald J Trump, millionaire or not, needs a spell checker.
    **Thanks Brian, for all you do to keep us informed.**

  2. NotMe

    Nice follow up !
    Can’t wait to see where this goes.

  3. samak

    “Amelie Ross” speaks English very similarly to a Russian or Ukrainian. The lack of a definite or indefinite article in “…cannot be tracked back to data owner…” is very typical since “a” and “the” don’t exist in Russian.

    1. m

      And those articles sometimes get stuck in funny places:
      “they perceived it with a total understanding.”

      Thanks, Brian.

  4. Hayton

    Interesting. As I’m in the UK “mspy[dot]com” redirects to “mspy[dot]co[dot]uk”.

    The domain name “mspy[dot]co[dot]uk” is up for sale and expires at the end of July this year.

    The UK website has a phone number with a code (+44 203, or 0203) which is not a UK code but redirects elsewhere, usually outside the UK.

    Crunchbase shows a London address for mspy at 145-157 St. John Street, London EC1. This address is used to provide a virtual office for many companies involved in shady business activities, and has acquired such a bad reputation that legitimate companies using this address find that their credit ratings are likely to suffer as a result. Just Google the address + “fraud” or “scam”.

    mspy’s whois information shows the registrant was Bitex Group Ltd, with an address in the Seychelles. Bitex and mspy appear to be one and the same, or at least to be closely associated. I asked the question in a chat session, and whoever was on the other end confirmed the relationship (“mSpy is our program that we develop” and “BItex is a registered company that develop and sell mSpy”).

    There are websites (presumably affiliates) with some astonishing spam about Bitex and a link which goes straight to a download of mspy, but this page (http://software.exodia.eu/company/bitex-group-ltd/) is all about Bitex and its popular mspy products, with a link to the Bitex website which goes instead to “mspy[dot]co[dot]uk”.

    Bitex Group has a template page on Facebook with no information except, intriguingly, a location listing pointing to Inta – a town in the middle of the Komi republic (look in the north end of the Urals), a place which is 85% forest and swamp. I think this may perhaps be a red herring ..

    Crunchbase names a previous employee of mspy who is now CEO of a company in Oxford : Spyphone Software Solutions. The web address it gives (www[dot]spyphonecalls[dot]com) now redirects to www[dot]thespyphone[dot]com. The company sells mSpy and All-In-One spyware for mobiles. Registration details for the website are Private, through a company in Nassau (Bahamas). The company website shows this company is part of TSH Software Group, with addresses at 616 Corporate Way, New York and 800 Bellevue Way, Bellvue, Washington. There is a link in Cyrillic on their contact page to a Russian-language version of the site and links there which go back to … mspy[dot]co[dot]uk. So all these companies are linked.

  5. ricky

    Very good article – keep up the great work

  6. Robert Gabriel

    Donald J Trump? Who is this idiot?

    1. A Lawyer

      A millionaire who used to own a yac(h)t

  7. GVS

    whois results look like a Russian offshore

    “Registry Tech ID:
    Tech Name: Pavel Daletski
    Tech Organization: mspy.com
    Tech Street: 306 Victoria House
    Tech City: Victoria
    Tech State/Province: Mahe
    Tech Postal Code: 0000
    Tech Country: SC
    Tech Phone: +248.2081338717”

  8. Kyle

    mSpy’s “purpose” was to spy on kids. Funny because I’m pretty sure that grayhatting “pretext” was used by Blackshades as well.

    1. Kyle

      I find it …amusing, since Blackshades got busted, while mSpy is considered a “legal entity.”

      1. Indeed

        Black shades was far more open about its illegal use and was on HackForums. They were extremely sloppy legally and seemed rather suicidal or at least as if they felt untouchable. mSpy seems just to not give a crap what you do with it or what happens to your data as long as they make money, but they market to clueless people who see it as legit. Black shades was marketed in a different manner, that’s all.

  9. Anonymous

    It’s almost like these people who sell spyware, don’t care about their customers privacy…

  10. Ian McKenzie

    I think it’s always a good reminder when we see services like these being brought up in the media by journalists such as BK, that there is never any shortage of people willing to violate one of the most fundamental human rights of the 21st century: privacy.

    That we live and share copious intimate details of our private lives on or through our mobile devices should cause anyone to cringe knowing that services like these are legal and available for use by and against anyone in the entire world. There is no shortage of people willing to pay good money for the ability to violate someone in such a serious manner.

    Consider for a moment the amount of detailed, chronological information that many of us share about ourselves online via social media already. Now consider the verbal conversations and private message based communications that also take place on that same device. There are many more things that the average person, let alone someone of any positive net worth either financially, or politically, would never dream of sharing.

    In other words, why is mSpy allowed to exist in the first place? Unless it’s open source and not being sold in private or public, there’s good potential here for a lot of legal issues in multiple jurisdictions around the world.

Comments are closed.