gps track deez nuts
|
@ -0,0 +1,179 @@
|
|||
---
|
||||
title: stardom dreams, stalking devices and the secret conglomerate selling both
|
||||
date: 2024-08-15
|
||||
description: '"this is all so stupid," maia keeps repeating'
|
||||
feature_image: /img/posts/gps-track-deez-nuts/cover.jpg
|
||||
feature_caption: feature art by [fourleafisland](https://fourleafisland.carrd.co/)
|
||||
feature_alt: an illustrated scene in space that parodies the "always has been" meme format. on the left is an earth-like planet listing companies mentioned in this article. maia in an astronaut suit says "wait, it's all ami shafrir?" an older man with puppy features, also in an astronaut suit, points a gun at it and says "always has been." the gun has a "click" sound above it.
|
||||
coauthor:
|
||||
name: ryan fae
|
||||
link: https://twitter.com/RhinozzCode
|
||||
tags:
|
||||
- shady
|
||||
- business
|
||||
- investigation
|
||||
- stalkerware
|
||||
- security
|
||||
- analysis
|
||||
- sqli
|
||||
- leak
|
||||
- exploit
|
||||
content_warnings:
|
||||
- abuse/controlling behavior
|
||||
- murder/homicide
|
||||
- stalking
|
||||
---
|
||||
|
||||
people frequently [reach out to me](/contact) with companies to look into. usually it takes me about 10 minutes before {% footnoteref "prounounce", "use of the pronoun \"i\" throughout this article exclusively refers to maia, while \"we\" refers to both ryan and maia" %}i{% endfootnoteref %} move on for one reason or another—it's not interesting for a story or has good security, for example. i didnt expect anything different when {% footnoteref "ty-ashton", "thanks a lot to <a href=\"https://aiston.scungled.gay/\">ashton</a> for kickstarting this whole incredible journey" %}an acquaintance{% endfootnoteref %} told me about Tracki, a self-proclaimed "world leader in GPS tracking" that they suspected could be used nefariously.
|
||||
|
||||
at first glance, Tracki appeared to be a serious company, maybe even one that cared about security. we could never have guessed what was about to unfold before us.
|
||||
|
||||
half a year into our investigation, we'd found it all: a hidden conglomerate posing as five independent companies, masked from governments and customers alike through the use of dozens of false identities, US letterbox companies, and an undeclared owner. a 90s phone sex scheme that, through targeting by one of hollywood's most notorious [fixers](https://en.wikipedia.org/wiki/Fixer_(person)), spiraled into a collection of almost a hundred domains advertising everything from online dating to sore throat remedies. a slew of device-assisted murder cases, on top of potential data breaches affecting almost 12 million users, ranging from federal government officials to literal infants. and most importantly, a little-known Snoop Dogg song. how in the *world* did we get here?
|
||||
|
||||
## starting our descent
|
||||
|
||||
Tracki's website is littered with stock illustrations of gps pins and reviews praising it for its reliability and customer service. they tout their popularity on sites like amazon, comparing their seemingly superior specs and prices to those of similar gps trackers. but a bit of googling will have you run into blog posts on their site discussing [stalkerware](/tagged/fuckstalkerware) (as well as [how to get rid of it](https://archive.is/BjpMx)) and explicitly marketing Tracki as a device for [spying on a spouse or other family member](https://archive.is/1ZpcA), even providing [detailed instructions for attaching it to their car](https://archive.is/47oeF). and with further prodding, it's also quite easy to [make the connection](https://archive.is/8IdyM) from Tracki to its parent company, Trackimo (registered in israel as [`VESTIGO TECHNOLOGIES LTD`](https://opencorporates.com/companies/il/514985985)), with Tracki being their more consumer-focused brand and Trackimo, who does the actual product development, focusing on business applications. having sent a local contact to check, we are able to confirm that Vestigo has an office space located in central tel aviv, housing most of their in-house R&D, management and software development employees.
|
||||
|
||||
{% figure { src: '/img/posts/gps-track-deez-nuts/vestigo-parking.jpg', alt: 'a photo from inside a parking space facing out toward a street. the parking spot is labelled with a messily hung piece of paper with "Vestigo" printed on it in calibri font. in the background there is a cat sitting under a car', caption: 'Vestigo\'s luxurious parking lot at their tel aviv office. the cat pictured may not be our local contact but is definitely running some important anarchist operations' } %}
|
||||
|
||||
Trackimo also has some pretty big business partners, with [Vodafone Business](https://en.wikipedia.org/wiki/Vodafone) selling a whitelabelled version of Trackimo's devices and app, [Leica Geosystems](https://en.wikipedia.org/wiki/Leica_Geosystems) providing a gps tracking and remote control technology co-developed by Trackimo, and many other big telecommunications companies officially reselling their devices. additionally, in collaboration with [Beta](https://archive.is/x1btJ) (an israeli VC incubator formed by [Paramount](https://en.wikipedia.org/wiki/Paramount_Global)), they co-own a subsidiary called *watchinU* that offers a Nickelodeon-branded smart watch for kids, the "NickWatch". while currently only available in the UK and israel, it features gps tracking for parental monitoring, two-way chats and calls with parents or other contacts, a photo-taking and editing app, preloaded music, various games, a step counter, and some other applications encouraging physical activity. given the steep cost of the device at almost $180 USD, not including the monthly data plan required to use it, we decided against getting one for testing (even though i really want to play around with it).
|
||||
|
||||
Tracki devices, however, are relatively cheap, usually costing {% footnoteref "money-swag-gaming", "all expenses for this article (totalling about $200 USD) were paid out of pocket, <a href=\"https://ko-fi.com/nyancrimew\">donations</a> to cover them and allow for future reporting like this are greatly appreciated" %}around $60 USD{% endfootnoteref %} but sometimes dropping down to as low as around $10 USD, which i was far more willing to spend. the package was dispatched from a warehousing company in [new jersey](https://en.wikipedia.org/wiki/Hell) and UPS (surprisingly enough) delivered it within a week.
|
||||
|
||||
{% figure { src: '/img/posts/gps-track-deez-nuts/box-contents.png', alt: 'a photo of the tracki device on a table with all other shipment contents spread out around it. those include the black and green box itself, a charging cable, a tiny screwdriver and some screws, setup instructions, two small cards with additional instructions, support phone numbers, and multiple attachments and covers for the device.', caption: 'the device, which is rather small, comes with back cover attachments for use with various objects: a magnet for vehicles, crates, etc., a clip for attachment to a belt or clothing, a silicone cover for fall and splash protection, and a basic lanyard.' } %}
|
||||
|
||||
setting the device up was fairly easy. the mobile app lets you scan a QR code inside the battery compartment to pair the device with your account. upon connecting the device, the app prompts you to subscribe, with the cheapest option costing $20 USD per month. besides their mobile app, Tracki also provides a web interface with all the same features. both interfaces prominently feature a map showing where all your trackers are located, differentiating between the more accurate gps location and less accurate approximate location based on cellular tower and wifi information. they also provide access to the more advanced features of the trackers, such as [geofencing](https://en.wikipedia.org/wiki/Geo-fence) alerts, setting up the SOS button, movement alerts, and a crucial feature for stalking use: disabling all noises the device makes, like low-battery beeps, with a single settings toggle.
|
||||
|
||||
## information security is, as always, lacking
|
||||
|
||||
while i was playing around with the web interface, the [.git exposure-checking browser extension](https://github.com/davtur19/DotGit) i use alerted me that, as is cliché in these articles, Tracki was leaking the git repository for their interface. a cursory look through didn't reveal anything particularly interesting, but it gave me confidence that there were probably similarly egregious security holes elsewhere, so to get a basic idea of the attack surface i [grabbed a list of subdomains](https://subdomainfinder.c99.nl) and started going through them.
|
||||
|
||||
most of the subdomains were customer-facing sites or simply returned error messages, with the occasional internal tools in between. one of those tools particularly caught my attention: on the surface, the completely blue login page simply entitled "TRM" may seem boring, but a look at it using dev tools reveals a complex client-side rendered [react](https://en.wikipedia.org/wiki/React_(JavaScript_library)) frontend. and after a second or so of load time, the debugger tab in dev tools showed me the full original source code and directory structure. and... oh my god, they're shipping with [source maps](https://web.dev/articles/source-maps)! using [sourcemapper](https://github.com/denandz/sourcemapper) i downloaded a local copy as well, to make working with it a lot easier.
|
||||
|
||||
after some quick searches, i identified various hardcoded usernames and passwords used to load data from a number of administration and support tools, including their inventory management software, support chat tool, [zammad](https://zammad.com) helpdesk, and console for their sim card and mobile network provider. yet another set of admin credentials for that helpdesk were also found hardcoded in their mobile app (inside the built in bug report/support request feature), an issue which—alongside others—had already been [reported to Tracki all the way back in 2021](https://archive.is/Q5OKz) but was never completely fixed.
|
||||
|
||||
from the list of subdomains i also found another interesting support tool, the "Trackimo Troubleshooter". based on the frontend source code and some educated guesses, i assumed that this tool would be used for remote debugging of all Tracki and Trackimo devices, showing technical support agents practically all the data from any given device by just entering a device id.
|
||||
|
||||
the tool itself seemed fairly solid, with no blatant vulnerabilities, but since it's a simple internal support tool, it doesn't have a user account system. instead, authentication works by logging in with a single shared password, and all it took for me to find said password was digging up an email in the helpdesk introducing the tool's features to various Tracki and Trackimo employees and informing them of the password. given that the tool requires no input besides a device id (which all follow a standardized format), it would most likely be possible for someone to grab all sensitive device and subscriber information for most (or all) devices. lmao
|
||||
|
||||
{% figure { src: "/img/posts/gps-track-deez-nuts/troubleshooter.jpg", alt: "a screenshot of Trackimo Troubleshooter showing various info about our test device and its subscription", caption: "Trackimo Troubleshooter showing information about our test device (note: screenshot has been edited to remove sections that were empty for our device)" } %}
|
||||
|
||||
## a city in the philippines
|
||||
|
||||
the helpdesk is also interesting for the amount of company information it reveals. most employee names seem american, and Tracki *is* [legally registered in delaware](https://opencorporates.com/companies/us_de/7273307), but internal email addresses instead {% footnoteref "call-back-question-mark", "emails are registered via microsoft, who leaks country data (selected when emails are created) via their api" %}call back to the philippines.{% endfootnoteref %} connected linkedin profiles show the company is indeed based in the central filipino city of cebu.
|
||||
|
||||
described in a bloomberg column as "[the most typical place in the world](https://archive.is/uARh4)", cebu has the quintessential characteristics of any city the US would build [a military base](https://en.wikipedia.org/wiki/Mactan%E2%80%93Benito_Ebuen_Air_Base) next to: a bustling tech sector, rich suburban and urban regions, and a high density of low-cost labor. one of the most impressive subdivisions is cebu's IT park, a grid of palm tree-lined highways and roundabouts that connect an array of highrises and their surrounding buildings.
|
||||
|
||||
{% figure { src: '/img/posts/gps-track-deez-nuts/skyrise-4.jpg', alt: 'a photo from the tree-lined cebu IT park', caption: 'the central IT park is centered around intersections like this one, which faces skyrise 4 (source: [google street view](https://maps.app.goo.gl/kq5JGEzFjpAjtmri7))' } %}
|
||||
|
||||
on the 17th floor of skyrise 4, you can find the offices Tracki operates from. upon a local contact going there, however, we actually found a shared office space rented in part by UniversalTech (or 'UTech'), a filipino outsourcing company with no legal nor public affiliation with Tracki.
|
||||
|
||||
internally, however, Tracki acts purely as a dummy corporation, helping hide UTech and its employees from the public eye. Tracki CEO Mikhael Cook, along with other executives, holds the same role in UTech, and payrolls are disbursed through UTech instead of Tracki; in fact, Tracki legally has zero salaried employees. product owner Andrew McMennamy spearheads the front, with the support lead—{% footnoteref "pseudonym", "this name is a pseudonym, which helpdesk employees use in both public and internal communications; their real names, while known to the authors, are not published here for privacy" %}Tom Dillon,{% endfootnoteref %} at the time of our initial research, though he no longer works for the company—acting as a *de facto* legal department despite their lack of formal legal experience.
|
||||
|
||||
> We technically have an address [in New York] for legal and/or tax reasons, but as far as I know there's no Tracki personnel anywhere inside the USA. <span>Tom Dillon, responding to a police inquiry</span>
|
||||
|
||||
and the support lead's role is quite important: Tracki is provably very popular among stalkers. support receives multiple subpoenas per week from local and federal law enforcement worldwide, {% footnoteref "ongoing", "many of the cases are ongoing, and their specifics are not mentioned here to protect victims, both in current and past proceedings" %}frequently for stalking or harassment but also occasionally for other charges, including domestic violence, attempted murder, and murder,{% endfootnoteref %} all of which involve the {% footnoteref "familiar-victims", "as is common with these types of crimes, the victims tend to be an (ex) partner or family member of the perpetrator" %}victim{% endfootnoteref %} being tracked down using a Tracki device. the company is not only aware of these uses, but has even actively assisted customers in nonconsensual tracking of individuals via their helpdesk.
|
||||
|
||||
in one case (not involving assistance from Tracki personnel), a perpetrator attached a Tracki device to the car of an ex-partner in order to discover her new residence, where she lived with a new partner; the perpetrator then fatally stabbed the new partner more than 80 times. in another case, a Trackimo device was used for drug trafficking in the lead-up to a violent triple-murder, including the execution-style shooting of a 6-year-old. at least two other cases also carry a murder charge, but their investigations remain in progress.
|
||||
|
||||
of course, there are other uses. both [ICE](https://en.wikipedia.org/wiki/U.S._Immigration_and_Customs_Enforcement) and [CBP](https://en.wikipedia.org/wiki/U.S._Customs_and_Border_Protection) frequently find {% footnoteref "theft-prev", "trackers like this are commonly used for theft prevention, both by owners and rental services. PSA: don't put trackers on your cars (or yourself, for that matter)—police can track you if they want to!" %}gps trackers on vehicles{% endfootnoteref %} crossing the united states border, leading to the agencies subpoenaing Tracki, presumably to trace potentially illegal cross-border movements. on the other hand, adjacent agencies and military programs in the united states, on top of other governments around the world, also use Tracki devices, typically for asset, personnel, and vehicle tracking.
|
||||
|
||||
## at least they're making bank
|
||||
|
||||
elsewhere in the company, things operate with only the occasional hitch. Tracki makes most profits via ecommerce, including sales in regional marketplaces, sometimes managed via UTech accounts. their monthly gross revenue falls at around $1.5 million USD, according to an internal income statement obtained from their helpdesk.
|
||||
|
||||
other bank statements also obtained from their helpdesk show that a significant portion of this revenue is then wired to Trackimo, their aforementioned parent company, and Wintrack (registered in hong kong as [`WENXUN TECHNOLOGY CO, LTD`](https://opencorporates.com/companies/hk/2193837)), a shenzhen-based contractor they work with. the values of these deposits across three months are shown below:
|
||||
|
||||
| | november 2023 | december 2023 | january 2024 |
|
||||
| ----------------- | ------------- | ------------- | ------------ |
|
||||
| trackimo (israel) | $850,000 | $710,000 | $818,000 |
|
||||
| trackimo (US) | $550,000 | | |
|
||||
| wintrack | $250,000 | $495,000 | $430,000 |
|
||||
|
||||
an accountant knowledgeable in US finance tells us that these movements indicate that Tracki is simply a "mediary to move cash through", having no stock and poor financial health. the small profit it does make per year isn't enough to bring it out of the red, and not much cash is left in company-owned accounts, holding around $99 thousand USD by the end of the year despite their estimated $19 million USD in revenue.
|
||||
|
||||
a smaller portion of the overall funds is also wired to two individuals: the aforementioned Andrew McMennamy and israeli-american businessman Amiram "Ami" Shafrir. over three months, the accounts paid differ:
|
||||
|
||||
| | november 2023 | december 2023 | january 2024 |
|
||||
| --------- | ------------- | ------------- | ------------ |
|
||||
| mcmennamy | $5,000 | $5,000 | $15,000 |
|
||||
| shafrir | $50,000 | $75,000 | $62,500 |
|
||||
|
||||
these direct payments tend to be unusual for corporations, and not only because they are off payroll and seemingly not a result of contractor work, but also for the amount of money in each payment. other employees at UTech are paid an average of about ₱250,000 ($4,400 USD) per year, a mid-range salary for the filipino support industry. McMennamy, for one, tops that in a single month.
|
||||
|
||||
and Shafrir is even worse, sometimes being paid more in a month than even McMennamy seems to make in a year. but who is he? a keyword search for his name along with "tracki" on google provides no results, nor with "trackimo", nor with "universaltech" or "utech". but a second search on the helpdesk brings up old emails from him, signed:
|
||||
|
||||
![an email from Ami Shafrir. below his name in the signature is the title, "Founder Trackimo"](/img/posts/gps-track-deez-nuts/ami-founder.jpg)
|
||||
|
||||
founder? of *Trackimo*? the other three founders—Shai Bar-Lavi, Amit Shaked and Shlomo Shur—are [extremely public about their roles](https://archive.is/o4rft), and Shafrir's seemingly never been mentioned anywhere. and elsewhere on the internet, he seems like he's had many other large positions: [CTO of IBM](https://www.crunchbase.com/person/ami-shafrir-6a1e) ([archive](/files/posts/gps-track-deez-nuts/Crunchbase.html))? [marketing manager at zone & co](https://www.linkedin.com/in/ami-shafrir-81a566257/) ([archive](/files/posts/gps-track-deez-nuts/AmiShafrir.html))? really, who is this guy?
|
||||
|
||||
## the ami story
|
||||
|
||||
Ami Shafrir has had a, well, *complex* relationship with the business world. in 1992, he founded his first and most successful business, [amtec audiotext](https://opencorporates.com/companies/us_ca/1836869), which—in the words of [*haaretz* editors](https://archive.is/RcJlv)—is "a technical name for a sex-calls operation". in its best year, 1995, Shafrir [claims](https://archive.is/gLA6r) it generated $60 million USD, and it continued to be wildly profitable. his internet company, {% footnoteref "worldsite", "incorporated in 1994; in 1996, the company became <a href=\"https://opencorporates.com/companies/us_ca/1776604\">worldsite networks</a>; and in 1999 it became just <a href=\"https://opencorporates.com/companies/us_ca/1776604\">worldsite</a>" %}worldsite,{% endfootnoteref %} became the center of the rest of his business operations in the tech sphere.
|
||||
|
||||
that was until until 2000. two years prior, Shafrir's wife had filed for divorce and soon after befriended Daniel Nicherie, who claimed he was an investment consultant and lawyer. in reality, however, he was a career fraudster, and as the divorce got ugly in 1999, he used the trust he'd built to defraud the pair out of [at least $40 million USD](https://archive.is/IatoC). by the end of his scheme, Nicherie had taken ownership of Shafrir's companies, hit him with more than 100 lawsuits, hired a notorious private investigator to wiretap him and seized everything from his office to his home.
|
||||
|
||||
> i never went after innocent people. never. <span>{% footnoteref "pelican", "pellicano was one of the 2000s' <a href=\"https://en.wikipedia.org/wiki/Anthony_Pellicano\">most infamous PIs</a> and <i>the</i> hollywood \"fixer\" of the era, responsible for fraudulently digging up dirt on dozens of celebrities. he was sentenced to 15 years in federal prison in 2008" %}Anthony Pellicano,{% endfootnoteref %} the private investigator hired to wiretap Shafrir ([source](https://www.nytimes.com/2023/03/07/NYT-Presents/anthony-pellicano-fixer-hollywood.html))</span>
|
||||
|
||||
following Nicherie's eventual [2004 indictment](/files/posts/gps-track-deez-nuts/2004-04-01.pdf), Shafrir got back on his feet and started pursuing a new venture: online talent auditions. by 2006, he was affiliated with upwards of {% footnoteref "domains-lmao", "this ignores other random domains on some odd side-topics, especially porn, online dating, and, well, sore throat remedies especially odd 'throatsore.com' (<a href=\"https://archive.is/pPeYF\">archive</a>), which advertises a pseudoscientific cure (table salt) to sore throat. it includes some fantastic quotes, such as: \"A sore throat is also often the first stage of a common cold, also known as the Flu.\"" %}75 domains covering auditions for everything from film to modelling to theater.{% endfootnoteref %} the domain that prevailed and remains up today is ExploreTalent.com, with some other domains (like Auditions.com) persisting as sub-brands. Shafrir continues to be its co-owner.
|
||||
|
||||
{% figure { src: "/img/posts/gps-track-deez-nuts/ami-chilling-w-oomf.jpg", alt: "a photo of ami shafrir and jamie foxx standing in front of a grey curtain, they have a hand on each others shoulder", caption: "one of the benefits Shafrir got from running ExploreTalent was regularly getting to hang out with celebs such as Jamie Foxx (image source: Ami Shafrir)" } %}
|
||||
|
||||
so as the 2010s progressed, how did he find his way into the gps tracking business, an industry he'd never touched before? a search for ExploreTalent on the Tracki helpdesk shows that the connection between the two may be more tangible than is obvious: support periodically sent emails from an ExploreTalent domain, and internal management spreadsheets show that UTech support employees had their roles divvied up between the two companies.
|
||||
|
||||
a deeper search further brings up a [linkedin description](https://www.linkedin.com/in/rexmupas/) ([archive](/files/posts/gps-track-deez-nuts/CTO.html)) from ExploreTalent's former CTO, who describes UTech as "an exclusive [IT outsourcing] company to support www.ExploreTalent.com and its satellite online properties". and remember TRM, Tracki's custom-built support tool that contained hardcoded credentials? its source code, in fact, *also* contains numerous references to ExploreTalent's backend, presumably as a stopgap while ExploreTalent didn't have their own support tool.
|
||||
|
||||
this leaves the companies less separate than expected: if Tracki is essentially UTech, but UTech is actually meant to exclusively serve ExploreTalent, then the three must be at the very least *close*. and what's the connection between gps tracking and talent auditions, anyway? what's the big deal with ExploreTalent in the first place?
|
||||
|
||||
## hollywood hates this one simple scam and basically you're stupid
|
||||
|
||||
in their marketing, ExploreTalent promises stardom to aspiring actors, models, and musicians. representatives lure in these individuals with promises that attract both those experienced in the industry and those looking for a start, including landing roles at disney or in other films with well-known stars. the only thing representatives say you have to do is subscribe to their "PRO" membership, costing $290 USD per year. and with all that big talk it makes sense that many think that ExploreTalent is a [talent agency](https://en.wikipedia.org/wiki/Talent_agent) who's about to help them make their big break in hollywood.
|
||||
|
||||
{% figure { src: "/img/posts/gps-track-deez-nuts/snoop-dogg-rap.mp4", type: "video", caption: "this promise is given further credibility by a number of celebrity collaborations they did a decade ago, including this one by probably the most sober snoop dogg that's ever been recorded (video source: [youtube, ExploreTalent](https://www.youtube.com/watch?v=7fzX8X4n99E))" } %}
|
||||
|
||||
in reality, however, ExploreTalent is [nothing more than a talent listing service](https://www.latimes.com/business/la-et-selling-stardom-one-source-talent-explore-talent-firms-20151210-story.html)—instead of having a dedicated agent vying to get you roles in the entertainment industry, it makes people create profiles so casting directors can mass-review users on the site for their unfilled roles, or let the talents audition to posted casting calls. the caveat is that barely any of the "big guys" in hollywood actually use these services, so at best some ExploreTalent users get cast for a number of small independent films while paying obscene amounts of money, hoping for that big break.
|
||||
|
||||
this is no small distinction—the claim has seriously tricked a great number of people. on the united states' better business bureau, ExploreTalent is given the [lowest possible rating by user reviews](https://www.bbb.org/us/nv/las-vegas/profile/talent-listing/explore-talent-1086-75944/complaints). one rather succinct comment reads, "Fake job leads 0% job leads Fake profiles posing as legit people", followed by a censored 12-letter expletive. others report being tricked by campaigns intended to get people to buy their nearly-$300 USD "PRO" membership, which has [elsewhere](https://www.sitejabber.com/reviews/exploretalent.com) been described as a "scam" and "misleading".
|
||||
|
||||
> ExploreTalent.com and your boy Bigg Snoop Dogg! we been hooked up mane, so log on right now {% footnoteref "what-time", "we have no idea what he means by this either, but it definitely is what he says in the video" %}if you wanna see what time it is,{% endfootnoteref %} if you wanna get in contact with somebody \[*jumpcut*\] like myself, Bigg Snoop Dogg <span>Snoop Dogg, on [whether ExploreTalent is a scam](https://www.youtube.com/watch?v=ZYCvbChdbPE) ([archive](/img/posts/gps-track-deez-nuts/SnoopDogg.mp4))</span>
|
||||
|
||||
it is of note, however, that some of those user reviews may also be based on misinformation relating to ExploreTalent. some theories focus on the fact that Ami Shafrir is israel-born and jewish as well as his former role as founder of amtec audiotext, the aforementioned phone sex company. posts promoting the theories make ExploreTalent out to be some sort of large-scale sex trafficking operation, with all the expected anti-jewish vitriol sewn in to boot. others instead focus on the fact that the site used to host talent profiles for significant republican figures like Candace Owens and Lauren Boebert, alleging that the site was somehow directly involved in their rise to the jobs they hold today. but that's doubtful, especially because of the site's clear difficulty with getting its users their wanted roles; the much more reasonable explanation is that the to-be pundits and politicians were, like many others in their field, simply failing actors or models before their move into politics.
|
||||
|
||||
## we have [graphql](https://en.wikipedia.org/wiki/GraphQL) at home
|
||||
|
||||
having already found various smaller vulnerabilities in the ExploreTalent website, i didn't expect much in terms of security from them. i'd already seen the basic format of their backend requests from Tracki's TRM, so simple guessing of common endpoints almost immediately resulted in me finding their complete api documentation :3
|
||||
|
||||
most of the documented endpoints returned very little or no useful info without authentication, but as soon as i signed up for a basic talent account and grabbed my authentication header, a lot of them started working, spewing out the personal information of all 11.4 million registered users on the site. and it appears i wasn't the first one to discover this either: names, emails, passwords, phone numbers and home addresses of around 5.8 million ExploreTalent users were leaked onto a hacking forum all the way back in february 2022, though the breach was not reported on by any news outlets. thanks to the OSINT data platform [intelx](https://intelx.io/) having archived a copy of the data leak, though, we were able to confirm the authenticity of the 2022 data.
|
||||
|
||||
but ExploreTalent's backend is even more vulnerable and ignores even more best practices than the 2022 hacker realized. the api, for example, has [sql injection](https://en.wikipedia.org/wiki/SQL_injection) built in as an internally used feature, allowing a client to add to any database query made by the backend and extract even more data or arbitrarily filter its result. the interface documentation also implies that one of the endpoints i had access to used to return user passwords in plain text, which explains how the hacker was able to obtain this data in 2022. this assumption is further corroborated by an internal ExploreTalent sales training video displaying a support tool, which shows that user passwords weren't just *stored* in plain text—already atrocious security practice—but also actively displayed to ExploreTalent employees.
|
||||
|
||||
{% figure { src: "/img/posts/gps-track-deez-nuts/et-internal-screenshot.jpg", alt: "a screenshot of an internal ExploreTalent backend management tool, showing the subscriber info of a test user and very prominently displaying the users password", caption: "an old screenshot of the internal ExploreTalent support tool, which already openly displays user passwords (image source: ExploreTalent)" } %}
|
||||
|
||||
i used the newfound ability to run arbitrary database queries to search for my test user profile based on my password, which promptly succeeded. so even though the api won't just spit out passwords anymore (no matter how hard i tried to convince it using custom queries), it would still allow a malicious actor to match usernames, emails and all other user data to collections of [popular or dictionary-generated passwords](https://en.wikipedia.org/wiki/Dictionary_attack), resulting in password lists that can be used for [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) on other services.
|
||||
|
||||
the fact that they fixed the plaintext password exposure post-breach (albeit without improving how they were stored internally) indicates that ExploreTalent most likely noticed when they got hacked back in 2022. but even as its existence became known to some users via breach notification services, ExploreTalent still failed to inform their users of the incident, going out of their way to lie about its existence in assuring customers that ["there is no truth to the claim that Explore Talent has exposed your personal information to hackers"](https://www.bbb.org/us/nv/las-vegas/profile/talent-listing/explore-talent-1086-75944/complaints#1086_75944_19904770). they also allege that dark-web breach monitoring services—including the US government-affiliated [MyIDCare](https://archive.is/dqUQ7)—rely on "bait tactics" to sell paid subscriptions, adding that ExploreTalent "take[s] pride in maintaining the utmost security and safeguarding our users' data" by "adher[ing] to stringent security measures and industry best practices to ensure the protection of user information".
|
||||
## and finally, *crypto tiktok*
|
||||
|
||||
pretty early on into the research of this article, we found ourselves looking at other companies connected to higher-ups at the mini-conglomerate we'd found thus far. Mikhael Cook and Andrew McMennamy, two of the most authoritative figures at Tracki, had an odd connection: they were CEO and CMO of another company, *lit.it*, which offers a {% footnoteref "cryyyypto-tiktok", "which is to say that it's a fairly bad clone of tiktok that has been mostly abandoned since 2021 despite promising cryptocurrency payouts for simply using the app" %}cryptocurrency shortform video app.{% endfootnoteref %}
|
||||
|
||||
for some reason, we initially discarded it as another vaguely connected but unimportant venture. even though we found emails in the Tracki helpdesk clearly meant for Ami Shafrir but instead sent to an "Ami" working at lit.it, we assumed they were completely different individuals because the surnames didn't match—this lit.it CEO had the name Ami *Berg* instead of Shafrir. it was only when we decided to revisit this lead way later (primarily because at this point maia had been making constant jokes about "crypto tiktok" on our work calls) that [Berg's linkedin profile](https://www.linkedin.com/in/ami-berg-lit/) ([archive](/files/posts/gps-track-deez-nuts/AmiBerg.html)) started seeming more and more suspect. the bio and past positions seemed oddly similar to Shafrir's, with small details differing between the two; the oddly arrogant and braggy tone in the bio felt eerily familiar, and even the profile picture just... kinda *looks* like Shafrir back in the 90s or early 2000s.
|
||||
|
||||
![a screenshot of Ami Berg's linkedin profile](/img/posts/gps-track-deez-nuts/ami-berg-linkedin.jpg)
|
||||
|
||||
while neither Premier Talent Network nor IOT Solutions exist under those names, those descriptions sure do match ExploreTalent and Trackimo! and things just didn't seem to line up—Berg could be found nowhere on the internet outside of this linkedin page, and his account (the username of which ends in "-lit") was created around the launch of the app. furthermore, upon contacting the UCLA registrar's office, officials confirmed that no student named "Ami(ram) Berg" (nor "Ami(ram) Shafrir", for that matter) ever graduated from the university. the page appeared entirely falsified.
|
||||
|
||||
this all seems like an attempt by Shafrir to {% footnoteref "legal-name-change", "it is unclear whether or not he also legally changed his name to Berg" %}assume an alias{% endfootnoteref %} in order to redeem his public image, a practice he [previously called out](https://web.archive.org/web/20240508213428/http://bigcrime.com/index.html) when his archnemesis Daniel Nicherie did the same. and this isn't even the first time Shafrir has attempted to make it harder to find out about his past: sometime in late 2021 (about a year before the Ami Berg linkedin profile was created), he commissioned someone to spam the internet with as much positive information about him as possible. this campaign included the creation of spammy profiles on every public social media-adjacent website imaginable, paid articles on [spam blogs](https://en.wikipedia.org/wiki/Spamdexing#Spam_blogs), badly put-together slide decks on powerpoint sharing websites, medium blog posts, and youtube videos. the content published includes complete lies about Shafrir's past, partially caused by the spammer mixing him up with [Amit Shafrir](https://www.amitshafrir.com/), a completely unrelated israeli-american tech businessman. a lot of the spam also includes various photos of ami hanging out with celebrities (mostly as a part of his work at ExploreTalent), where we once again see the spammer getting a little bit confused.
|
||||
|
||||
{% figure { src: "/img/posts/gps-track-deez-nuts/ami-shafrir-with-another-man.jpg", alt: "a screenshot of a PowerPoint slide. it features a photo of ami shafrir together with bill clinton but is captioned with the text: ami shafrir with another man / ami shafrir taking picture with a man in suit", caption: "i mean i guess Bill Clinton *is* another man in suit (image source: ['Ami Shafrir Unseen Pictures' by amishafrir22 on anyflip.com](https://anyflip.com/pyhvu/dbsm/basic/))" } %}
|
||||
|
||||
## shafrir's lemonade stand
|
||||
|
||||
"I would not trust Ami Shafrir to run a lemonade stand, let alone a company handling millions of people's sensitive data", [Cooper Quintin](https://www.eff.org/about/staff/cooper-quintin), senior staff technologist at the Electronic Frontier Foundation, told us. the security flaws in both Tracki and ExploreTalent indicate to him that the companies put a "[priority on making as much money as fast as possible](https://en.wikipedia.org/wiki/Capitalism) and do not give one moment of thought to anything that stands in the way of this goal, such as basic security measures."
|
||||
|
||||
all security vulnerabilities mentioned in this article were reported to Tracki and ExploreTalent prior to publishing. Tracki patched most vulnerabilities nearly immediately, and a significant amount of ExploreTalent's infrastructure changed shortly before publishing (thereby patching some others mentioned in this piece before we were able to even report them).
|
||||
|
||||
"We are committed to addressing any of the issues you brought", an email from the Tracki support team wrote. they expressed appreciation for the report, though they discarded implied connections to ExploreTalent as "old code sitting there" from an "old developer" who "kept it there from his prior project."
|
||||
|
||||
we further reached out to dozens of both current and former {% footnoteref "mentioned-in-piece", "all of those mentioned in this piece were contacted" %}employees and executives within the companies for direct comment, but received no response from any.{% endfootnoteref %}
|
||||
|
||||
Quintin made the danger of these security lapses in Tracki and Trackimo's services clear. "This is one of the most horrifying examples of stalking technology I have ever seen", he wrote. "Trackimo should be investigated by the FTC and shut down immediately for their complicity in so many horrendous crimes."
|
After Width: | Height: | Size: 150 KiB |
After Width: | Height: | Size: 76 KiB |
After Width: | Height: | Size: 27 KiB |
After Width: | Height: | Size: 75 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 1.4 MiB |
After Width: | Height: | Size: 320 KiB |
After Width: | Height: | Size: 137 KiB |
After Width: | Height: | Size: 189 KiB |
After Width: | Height: | Size: 149 KiB |
After Width: | Height: | Size: 176 KiB |