Last week, hackers identifying themselves as “The Decepticons” hacked into “stalkerware” providers FlexiSPY and Retina-X. FlexiSPY and Retina-X market their Spyware-as-a-Service (SaaS) to the consumer market for the purposes of spying on a family member’s phone. These consumer-grade spyware products are just as capable as their government and law-enforcement editions, allowing a user to eavesdrop on a call, capture photos, read messages, view browser history, and even track movement via GPS.
Taking a step back, it’s quite frightening to evaluate how central smartphones are in our day-to-day activities: we use them for everything from sending and receiving e-mails and messages, recording audio and video, tracking our own movements via apps like Fitbit and Google Maps, conducting financial transactions, and even authenticating our logins via a soft-token or text message (SMS). In short, our smartphones are pocket-sized surveillance devices we all willingly carry with us everywhere we go, in exchange for the daily conveniences such devices offer us.
However, a compromised smartphone provides a verifiable treasure trove of information for an attacker. Victims of domestic abuse routinely discover stalkerware and spyware surreptitiously installed on their smartphones by their abuser.
The “Decepticons” continued throughout the weekend to release a stream of internal documents, source code, and binaries, capping it off with a ‘how-to guide’ of how they infiltrated FlexiSpy’s internal network.
The primary vulnerability in FlexiSPY’s network? A default password (test:test) and password reuse across the network (root:tcpip123). I guess they didn’t take our advice week after week about using a password manager, not re-using passwords, changing default passwords, and generating strong unique passwords.
In response to the attacks, FlexiSPY has launched a bug bounty for security professionals to help secure their network.
To save yourself from becoming a victim of stalkerware or spyware:
Hollywood loves to glamorize hacking, with shots of someone frantically typing away at a keyboard as lines of text scroll by, but the reality is that hacking is a lot easier than you would expect. For a more realistic depiction of hacking, check out the TV show “Mr. Robot.”
To find out how easy it is, GQ Magazine contributor Sarah Jeong invited a friend to hack her. Within several hours, the simulated spearphishing attack had stolen her Google account credentials. From there, a malicious attacker could have used her email access to gain additional access into other online accounts by initiating password resets.
Sarah and Quintin provide a fantastic overview of the process: gathering open source intelligence (e.g. via social networks), social engineering, registering a phishing domain, crafting a document, and delivering a payload.
Spearphishing isn’t just used to steal your credentials so hackers can empty your bank accounts. It’s a common technique used by nation states to gain initial access into a network. In fact, security researchers discovered APT28 (Fancy Bear) targeting the campaign of Emmanuel Macron, France’s presidential frontrunner.
On that note, it’s great to see reporters lifting the veil of hacking and educating their readers in a major lifestyle publication. In fact, earlier this year, Teen Vogue published an excellent article on How to Keep Messages Secure and Why Two Factor Authentication Is So Important. If we can get security into the mindset of the younger generation, maybe we’ll start reducing the effectiveness of spearphishing in the future.
We are big fans of responsible disclosure. However, companies and vendors must also respond appropriately, instead of filing lawsuits against vulnerability researchers. Yet, time and again, we see this sort of aggressive reaction and/or misunderstanding about why researchers are reporting bugs in their product.
Mats Järlström discovered the real world analogy of what it’s like to be persecuted for vulnerability disclosure when he pointed out that the timing of stoplights wasn’t correct, based on his calculations. Rather than address his concerns, the Oregon State Board of Examiners for Engineering and Land Surveying responded by slapping him with a $500 fine for his statement of, “I’m an engineer.”
Do social engineers have to register in the state of Oregon?