[BreachExchange] A Hacker Has Wiped a Spyware Company’s Servers—Again

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 09:52:22 EST 2018


Last year, a vigilante hacker broke into the servers of a company that
sells spyware to everyday consumers and wiped their servers, deleting
photos captured from monitored devices. A year later, the hacker has done
it again.

Thursday, the hacker said he started wiping some cloud servers that belong
to Retina-X Studios, a Florida-based company that sells spyware products
targeted at parents and employers, but that are also used by people to spy
on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series
of hacks that exposed the fact that many otherwise ordinary people
surreptitiously install spyware on their partners’ and children’s phones in
order to spy on them. This software has been called “stalkerware” by some.
This spyware allows people to have practically full access to the
smartphone or computer of their targets. Whoever controls the software can
see the photos the target snaps with their phone, read their text messages,
or see what websites they go to, and track their location.

A Retina-X spokesperson said in an email Thursday that the company hasn’t
detected a new data breach since last year. Friday morning, after the
hacker told us he had deleted much of Retina-X’s data, the company again
said it had not been hacked. But Motherboard confirmed that the hacker does
indeed have access to its servers.

Friday, Motherboard created a test account using Retina-X’s PhoneSheriff
spyware in order to verify the hacker’s claims. We downloaded and installed
PhoneSheriff onto an Android phone and used the phone’s camera to take a
photo of our shoes.

“I have 2 photos of shoes,” the hacker told us moments later.

The hacker also described other photos we had on the device, told us the
email account we used to register the account, and then deleted the data
from our PhoneSheriff account.

“None of this should be online at all,” the hacker told Motherboard,
claiming that he had deleted a total of 1 terabyte of data.

“Aside from the technical flaws, I really find this category of software
disturbing. In the US, it's mainly targeted to parents,” the hacker said,
explaining his motivations for going after Retina-X. “Edward Snowden has
said that privacy is what gives you the ability to share with the world who
you are on your own terms, and to protect for yourself the parts of you
that you're still experimenting with. I don't want to live in a world where
younger generations grow up without that right.”

In the first Retina-X data breach last year, the hacker was able to access
private photos, messages, and other sensitive data from people who were
monitored using one of Retina-X’s products. The private data was stored in
containers provided by cloud provider Rackspace. The hacker found the key
and credentials to those containers inside the Android app of PhoneSheriff,
one of Retina-X’s spyware products. The API key and the credentials were
stored in plaintext, meaning the hacker could take them and gain access to
the server.

This time, the hacker said the API key was obfuscated, but it was still
relatively easy for him to obtain it and break in again. Because he feared
another hacker getting in and then posting the private photos online, the
hacker decided to wipe the containers again.

Shortly after Motherboard first reported the Retina-X breach in February of
last year, a second hacker independently approached us, and said they
already had been inside the company’s systems for some time. The hacker
provided other internal files from Retina-X, some of which Motherboard
verified at the time.

Answering a series of questions about what Retina-X changed after last
year’s hack, a spokesperson wrote in an email that “we have been taking
steps to enhance our data security measures. Sharing details of security
measures could only serve to potentially compromise those efforts.”

“Retina-X Studios is committed to protecting the privacy of its users and
we have cooperated with investigating authorities,” the spokesperson wrote.
“Unfortunately, as we are well aware, the perpetrators of these egregious
actions against consumers and private companies are often never identified
and brought to justice.”

At the end of 2016, the hacker gained access to the servers of Retina-X,
which makes several spyware products, and started collecting data and
moving inside the company’s networks. Weeks later, the hacker shared
samples of some of the data he accessed and stole with Motherboard. But he
didn’t post any of it online. Instead, he wiped some of the servers he got
into, as the company later admitted in February of 2017.

The new alleged hack comes just a few days after the hacker resurfaced
online. At the beginning of February, the hacker started to dump online
some of the old data he stole from Retina-X in late 2016. The hacker is now
using a Mastodon account called “Precise Buffalo” to share screenshots
recounting how he broke in, as well as raw data from the breach, though no
private data from victims and targets.

In February of 2017, a Motherboard investigation based on data provided by
hackers showed that tens of thousands of people—teachers, construction
workers, lawyers parents, jealous lovers—use stalkerware apps. Some of
those people use the stalkerware apps to spy on their own partners without
their consent, something that is illegal in the United States and is often
associated with domestic abuse and violence.

Retina-X was not the only spyware company hacked last year. Other hackers
also breached FlexiSpy, an infamous provider of spyware that has actively
marketed its apps to jealous lovers. At the time, the hackers promised that
their two victims—FlexiSpy and Retina-X—were only the first in line, and
that they would target more companies that sell similar products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/5ad1043d/attachment.html>

More information about the BreachExchange mailing list