letmespy blog post

pull/1/head
maia arson crimew 2023-06-27 00:30:13 +02:00
parent 1dab8c8d0b
commit 1e2b2648c9
3 changed files with 679 additions and 0 deletions

View File

@ -0,0 +1,107 @@
---
title: "#FuckStalkerware pt. 1 - the LetMeSpy hack"
date: 2023-06-26
description: "let the games begin"
feature_image: /img/posts/fuckstalkerware-1/cover.jpg
feature_alt: "a glitchy edited screenshot of the landing page for LetMeSpy"
tags:
- "#FuckStalkerware"
- stalkerware
- analysis
- leak
content_warnings:
- mentions of abuse/controlling behaviour
---
> the intro to this series can be found [here](/fuckstalkerware-0/)
a few days ago, while i was starting work on this very series, polish stalkerware company LetMeSpy (LMS) got completely pwned and had their databases dumped. the link to the file (`jaki_kraj_taki_finfisher.tar`) was sent my way, and i decided that this would be a fun thing to start this series off with, especially since so far this breach has been barely, if at all, reported on outside polish media.
## so what's in the dump?
the dump contains the following folder structure:
```bash
drwxr-xr-x 0 root root 0 Jun 21 01:10 letmespy/
-rw-r--r-- 0 root root 66347465 Jun 21 00:08 letmespy/lidwin_lms.sql.zst
-rw-r--r-- 0 root root 191375 Jun 21 00:57 letmespy/decrypted_calls.csv.zst
-rw-r--r-- 0 root root 648027 Jun 21 01:00 letmespy/decrypted_msg.csv.zst
-rw-r--r-- 0 user users 772213 Jun 21 01:10 letmespy/users.csv.zst
```
all the files are compressed using [zstandard](http://facebook.github.io/zstd/), and there is a full phpMyAdmin db dump (`lidwin_lms.sql.zst`), and csv files of decrypted call (`decrypted_calls.csv.zst`) and message (`decrypted_msg.csv.zst`) logs, as well as a convenient csv of user (operator) ids, emails and password hashes (`users.csv.zst`).
## oh, a users table 👀, who used this shit?
after a cursory glance over [all the domains used for user email addresses](/files/posts/fuckstalkerware-1/email-domains.txt), i've come to the following main conclusions:
- 3 government workers have signed up (two from malaysia, one from jordan)
- D. Morrison from [broussard police](https://broussardpolice.com) has signed up
- at least one person from a competing stalkerware product (which we will get to in due time in this series), has signed up, definitely no "advanced inspiration" happening here
after a cursory glance at the dumped database and call/message logs it however doesn't appear like any of the above users have actually really used the product in any capacity. another concering thing i noticed however in the list of email addresses/domains is just how many US college students appear to be using stalkerware such as this, though i guess it does fit the US college culture to be spying on partners in such a manner.
## what other stuff is there
alright, so obviously there is the message and call logs, revealing with whom and what all the spied on people have communicated, which so far i have not yet had the time to do a deep dive into, though i might wait with that in general until i have more datasets from various of these apps, but some interesting stuff in there:
- there is obviously logs of various drug trades happening
- god so many people get trump campaign text messages
- there is at least two instances (i only searched in english) of the stalkers admitting to their tracking and calling the person they're spying on out since they think they've just caught them cheating, eg:
```csv
id_msg,id_user,id_phone,type,ip_add,message,number,time_add,timestamp,doublecheck
63644797,xxxxxx,xxxxxx,0,72.x.x.x,"You cheat,  ",+1xxxxxxxxxx,2023-03-20 19:39:00,1679335679,xxxxxxxx
63644798,xxxxxx,xxxxxx,0,72.x.x.x,"Your being Tracked I was told your you went to eat, and you r by sams  ",+1xxxxxxxxxx,2023-03-20 19:39:00,1679335858,xxxxx
```
<small>*(redacted by me)*</small>
- i never even really thought about how easy account takeover is with stalkerware installed on your victims phone, you can just request 2fa codes and use them, huh (this seems obvious now)
additionally available in the database are: geolocation logs, ip addresses for each log entry, ip addresses for the operators, phone model, android version, operator payment logs. this data also shows us that there is around 10000 phones registered to be surveilled via this software, though a large part of them seem to have never sent any activity updates.
what i also found in the database is global configuration for the site, which reveals that letmespy is run by [Rafał Lidwin](https://pl.linkedin.com/in/lidwin) ([lidwin@lidwin.pl](mailto:lidwin@lidwin.pl)), which tracks since (according to his linkedin) he's the CTO of [RADEAL](https://www.radeal.pl/), the company that according to the footer runs LMS, he's the first user to have signed up and lidwin appears all over the place.
```sql
--
-- Dumping data for table `glob__settings`
--
INSERT INTO `glob__settings` (`id_setting`, `name`, `value`, `description`, `code`, `time_updated`, `time_add`) VALUES
(1, 'default_name', 'Let Me Spy', NULL, 1, '2013-02-06 17:28:00', '0000-00-00 00:00:00'),
(2, 'default_www', 'letmespy.com', NULL, 1, '2013-02-06 17:28:00', '0000-00-00 00:00:00'),
(3, 'default_mail', 'support@letmespy.com', NULL, 1, '2013-02-06 17:28:00', '0000-00-00 00:00:00'),
(9, 'mail_title', 'Let Me Spy', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(10, 'mail_default', 'support@letmespy.com', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(11, 'mail_reply', 'support@letmespy.com', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(12, 'mail_mailer', 'smtp', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(13, 'mail_host', 'lidwin.pl', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(14, 'mail_port', '25', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(15, 'mail_helo', 'lidwin.pl', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(16, 'mail_smtpauth', 'true', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(17, 'mail_username', 'support@letmespy.com', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(18, 'mail_password', 'xxxxxxxxxx', NULL, 2, '2013-01-11 13:52:00', '0000-00-00 00:00:00'),
(53, 'company_name', 'Rafał Lidwin LIDWIN.PL', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(54, 'company_nip', '675-117-35-37', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(55, 'company_adress', 'ul. Reduta 11A/55', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(56, 'company_zip', '31-421', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(57, 'company_city', 'Kraków', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(58, 'company_bank_name', 'BreBank mBank', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(59, 'company_bank_account', '52 1140 2004 0000 3102 3016 6119', NULL, 3, '2013-08-29 09:36:00', '2013-05-24 14:17:00'),
(60, 'KURS_DATA', '2023-06-19', NULL, 4, '2023-06-20 10:20:00', '2015-01-14 23:29:00'),
(61, 'KURS_USD', '4,0680', NULL, 4, '2023-06-20 10:20:00', '2015-01-14 23:50:00'),
(62, 'KURS_EUR', '4,4457', NULL, 4, '2023-06-20 10:20:00', '2015-01-14 23:50:00');
-- --------------------------------------------------------
```
<small>*(email password redacted by me)*</small>
## what are the ethics of stalkerware leaks like this
it is of course not nice that data collected by spyware without the victims consent is just publicized like this, there is still some nuance to this. there is barely any chance targets of stalkerware will ever be informed of breaches unless data about them leaks and third parties are able to do so. in this specific case it's not even *possible* for LMS to inform targets, since the app has no functionality to talk to targets/notify them as well as no self update mechanism. at best the company can inform operators of this breach and even that is doubtful. what's going to be interesting in this specific case is where the gdpr liability lies, is it on LMS or on the operators to inform victims, if we're lucky this could already be enough to bring them down.
furthermore as with any datasets of highly personal data, they're highly valuable to various investigative journalism. yes, this is data that ideally would not exist, but it existing means it can be analyzed in interesting ways. datasets of lots of received text messages and calls could reveal political influence campaigns and politicians attempts of buying votes, if high level persons have been spied on it could even reveal corruption, etc. i am of the opinion that most datasets can be used for good in the right hands even if they shouldn't exist at all. also the main thing these datasets will always also contain is information on the operators, on the people who use software such as this for spying on their partners, kids, employees, etc.
this obviously does not mean that there isn't also a massive potential for abuse of data such as this, which is why i will not be linking to any source of it. it's a hard topic to cover and i hope i can do it justice enough in this series, and hopefully dive more in depth on how these companies operate and not just in the data they collect, or this is gonna end up being very monotone.
## final notes
i have reached out to letmespy and rafał lidwin for comment for this post, but have not heard back so far, this story will be updated if i get a statement. furthermore i am still open for tips and leads regarding other stalkerware/watchware software vulnerabilities and leaks or insider infos, as well as requests for comments from journalists, [feel free to contact me](/contact/).

View File

@ -0,0 +1,572 @@
1234gmail.com
123material.com
126.com
163.com
24rumen.com
824gmail.com
abtec-egypt.com
abv.bg
actrix.co.nz
adres.pl
agrolivana.com
aim.com
airsoftcqb.com
aisure.co.za
akoption.com
aksitservices.co.in
alcorn.edu
alice.de
aljene.dk
allbladez.com
allhoursplumbingslc.com
alsystem.pl
amorki.pl
anlubi.com
aol.cim
aol.com
aosod.com
apps.homewood.k12.al.us
apps.Lcdoe.org
appxapi.com
aramex.com
architectdeboeck.be
aregods.com
armstrong-tech.com
armyspy.com
arxxwalls.com
asdooeemail.com
asmgroup.pl
asoflex.com
atlas.sk
att.net
autograf.pl
avc.edu
azet.sk
azrailangel.com
barid.com
bbox.fr
bigpond.com
bisongl.com
bk.ru
bogracz.pl
bol.com.br
botsoko.com
bresnan.net
brooklynprephs.org
broussardpolice.com
btinternet.com
buziaczek.pl
byom.de
camvers.pl
capitalcow.in
carezam.org
cdnqa.com
cebaike.com
cellc.blackberry.com
centrum.cz
centrum.sk
centurylink.net
centurytel.net
ceoshub.com
chotunai.com
christopherdock.org
chsvb.org
cincinnatips.org
citromail.hu
clarke.k12.va.us
cloud-mail.top
cmail.com
cmeinbox.com
cnxcoin.com
collinsongroup.com
comcast.net
consultant.com
cosaxu.com
cougarmail.collin.edu
cox.net
cream.pink
crtsec.com
cs.com
CURRITUCK.K12.NC.US
cytryna.pl
dada.org
deloitte.com
dewareff.com
digdig.org
diratu.com
dishcatfish.com
divismail.ru
dr.com
dropjar.com
duck.com
dyzmond.com.pl
E-mail.com
earthlink.net
ebs-paris.com
ecu.edu
ed.amdsb.ca
edinel.com
edlundco.com
eheec.ac.ma
Email.com
email.cpcc.edu
email.cz
email.davenport.edu
email.phoenix.edu
emailkom.live
embarqmail.com
emiovdp.be
emlhub.com
entheos15.33mail.com
episcopalacademy.org
erc.gov.jo
esprit.tn
euro-print.hr
eurokool.com
excite.com
facebook.com
fandua.com
free.fr
frre.com
fsouda.com
fuwa.li
fuwari.be
g.horrycountyschools.net
g.pl
gail.co.in
gaim.com
gamail.com
gamil.com
gapps.sanford.org
gazeta.pl
gemail.com
getnada.com
gettempmail.com
gimal.com
gitmail.ovh
gmai.com
gmail.cm
gmail.com
gmail.com.com
gmail.comdma
gmail.con
gmail.fr
gmail.om
gmailgmail.com
gmaill.com
gmal.com
GMAOL.COM
gmeil.com
gmial.com
gmil.com
gmqil.com
gmwil.com
gmx.at
gmx.com
gmx.de
gmx.fr
gmx.us
gnail.com
go2.pl
godmail.dk
googlemail.com
gou99.modernsailorclothes.com
greenvilleschools.us
grenvik.com
grr.la
gufum.com
haizail.com
hamline.edu
haqed.com
harbtrading.ro
hawaii.edu
hct.ac.ae
hct.ae.ac
hellospy.com
hhcpa.com
hi2.in
hiwpt.edu.sa
hot.pl
hotma.com
hotmai.fr
hotmail.be
hotmail.ca
hotmail.ch
hotmail.cim
hotmail.co.il
hotmail.co.nz
hotmail.co.uk
hotmail.co.za
hotmail.com
hotmail.de
hotmail.es
hotmail.fr
hotmail.it
hotmail.nl
hotmil.com
hpc.co.za
hss.edu
http200.net
humboldtunified.com
hutchdocs.com
huvacliq.com
icloud.com
iclud.com
icoud.com
idea.adityabirla.com
ig.com.br
igmail.com
iiserb.ac.in
immi-visa.com
inbox.lv
inbox.ru
indoxex.com
inoksan.com.tr
integratedliving.org.au
interia.eu
interia.pl
interstone.pl
ippals.com
isd482.org
isiam.ma
isu.edu
itsaustintaylor.com
iucake.com
iunicus.com
jacobscalling.com
jmail.com
jmcz.net
job-giant.com
jobsfeel.com
johor.gov.my
joyandsanenterprises.co.ke
jpms.pl
juno.com
kaimdr.com
kent.edu
keravision.co.za
keyido.com
kimo.com
kittymail.com
kkmail.be
laestrella.cc
laluxy.com
lance7.com
landworks.com
lankew.com
laposte.net
laste.ml
lausd.net
learn.cssd.ab.ca
leeching.net
letmespy.com
libero.it
libertyhotelslara.com
lidely.com
lidwin.pl
lilium-ds.com
list.ru
live.ca
live.co.uk
live.com
live.com.au
live.de
live.dk
live.fr
live.in
live.it
live.nl
live.no
livingoal.net
livjenkins.co.uk
localmatterz.com
logo-studio.pl
logodez.com
ltm.ma
lubawa.com
luxeic.com
lyft.live
maazios.com
macr2.com
mail.bg
mail.com
mail.ru
mail.usf.edu
mailinator.com
mailna.biz
mailnesia.com
maricopa.edu
mc-students.org
me.com
mein.gmx
mel-min.k12.wi.us
midlothianhealthcare.com
migonom.com
mirai.re
moakt.com
mobileemail.vodafonesa.co.za
moemer.com
mohmal.com
mohmal.in
mohmal.tech
moimoi.re
mot.gov.my
mozmail.com
msd1.org
msn.com
mtec.ac.in
mtn.blackberry.com
my.com
my.lowercolumbia.edu
my.stlcc.edu
my.tccd.edu
my10minutemail.com
mydit.ie
mylife.unisa.ac.za
myself.com
myway.com
myyahoo.com
naver.com
netmadeira.com
netronic.co.uk
netscape.net
netzero.com
netzero.net
nibbanksc.com
nightorb.com
nlcg.com
nokiamail.com
nomadaquatic.com
ntlworld.com
null.net
o2.pl
oddluzamy.nieruchomosci.pl
ohdmenh.com
ok.de
onet.eu
onet.pl
op.pl
opoczta.pl
optonline.net
orange.fr
orange.pl
orgria.com
otodir.com
outlock.com
outlook.be
outlook.co.nz
outlook.com
outlook.com.au
outlook.de
outlook.es
outlook.fr
outlook.it
outlook.sa
outlookl.com
outlouk.com
partyka.nazwa.pl
passwordsmeasurement3.com
pavilionx2.com
peoplepc.com
petalmail.com
pimmel.top
pitt.edu
pm.me
pma.ph
poczta.fm
poczta.onet.pl
poczta.pl
post.cz
probdd.com
proexbol.com
programmer.net
proton.me
protonmail.ch
protonmail.com
psdr3.k12.co.us
psu.edu
pubpng.com
q.com
qip.ru
qmail.com
qq.com
qqhow.com
quickdealherbal.com
qwert.com
radeal.pl
rambler.ru
randrai.com
ratedane.com
rdcrs.ca
reborn.com
rediffmail.com
redingtongulf.com
rentokil-initial.com
restoration1.com
richland2.org
riseup.net
rocketmail.com
rocketship.com
rogucki.pl
roweandclark.org
RTN.ORG
rtotlmail.com
rtotlmail.net
rury.katowice.pl
rzbmroz.pl
s2services.com
safe-mail.net
sapo.pt
sappbros.net
sayson.us
sbcglobal.net
scdsb.on.ca
sd1525.org
sendnow.win
service-it.dz
seznam.cz
sfr.fr
sgischool.in
shardamotor.com
sharklasers.com
sina.com
singledigit.net
sky.com
smartpoland.pl
snhu.edu
sofiafontaine.com
somana.ma
sop2.com
sopulit.com
spam4.me
spoko.pl
spy.com
starmelb.catholic.edu.au
stewartlawfirm.com
stlpcs.org
stu.boone.kyschools.us
student.ccs.k12.nc.us
student.escc.edu
student.kws.nsw.edu.au
student.oregoncs.org
student.purdueglobal.edu
student.skiatookschools.org
students.alvinisd.net
students.clark.edu
students.dacc.edu
students.ecps.us
students.ecsu.edu
students.ku.ac.ke
suffolk.edu
sunpass.fr
superblohey.com
svce.edu.in
swissmail.com
t-online.de
t-online.hu
t.pl
tadipexs.com
tajwork.com
talktalk.net
tanieocac.pl
tanmeyah.com
taylormidwest.com
teamworktr.com
tedace.com
teknowa.com
tele2.nl
telegmail.com
teleworm.us
thrma.com
tiffin.edu
tiscali.it
tlen.pl
tmmbt.net
tmomail.com
toerkmail.com
tqosi.com
trbvm.com
trbvn.com
tuks.co.za
turuma.com
tuta.io
tutanota.com
twain239.org
ualr.edu
uascs.org
uk.pl
unicsite.com
unitechta.edu
upng.ac.pg
usa.com
usharer.com
usmba.ac.ma
utectulancingo.edu.mx
vaband.com
villaexperience.com
vip.onet.pl
vip.qq.com
virginmedia.com
vivaldi.net
voila.fr
volny.cz
vp.pl
vu.edu.pk
vusra.com
vzwpix.com
w.cn
walla.co.il
walla.com
wayne.edu
Wcontractors.com
web.de
wentstravel.com
wigstonstudents.org
willwesleynfl.com
windermere.com
windowslive.com
wir.pl
wiroute.com
wp.eu
wp.pl
wp.pl-locked
wwgoc.com
xcoxc.com
xegge.com
xs4all.nl
yahoo.ca
yahoo.cm
yahoo.co.id
yahoo.co.in
yahoo.co.nz
yahoo.co.uk
yahoo.com
yahoo.com.ar
yahoo.com.au
yahoo.com.br
yahoo.com.my
yahoo.com.ph
yahoo.com.uk
yahoo.con
yahoo.coom
yahoo.de
yahoo.es
yahoo.fr
yahoo.ie
yahoo.in
yahoo.it
yahoo.pl
yahoo.se
yandex.com
yandex.ru
yastle.com
yen.com.gh
ymail.com
yopmail.com
yopmail.org
zm.jsi.com
znajomi.pl
zoho.com
zohomail.com
zoznam.sk
zsp2zyrardow.pl

Binary file not shown.

After

Width:  |  Height:  |  Size: 286 KiB