> The UK address. 145-157 St John Street, London, EC1V 4PY. According to a BBC report, this is the address used by a company which sells its use as a registered office address. Because there does not seem to be an obligation to check that users of the service are legitimate companies, criminals are attracted to it. According to the BBC, the address is in common use among fake companies operating "boiler room" fake share scams.
They handle all kinds of services for tens of thousands of companies in the UK, from registration, to registered address and mail forwarding.
I know this, because I used them for my startup to handle the registered address. This is because official mail has to go somewhere and the address is a matter of public record. We were in a co-working space at the time and knew that we would move on when the time came, it's an annoyance to go around updating the registered address and unprofessional to have a co-working space as one.
That Companies Made Simple is used by bad actors isn't going to be a surprise, bad actors use nearly all service providers.
They are the largest provider of registered address services in the UK, it's not a surprise that the address is in "common use". That ignores the fact that the number of legitimate businesses that use the address vastly outnumber the illegitimate.
I dislike Companies Made Simple having used them (they nearly shredded our investors SEIS certs because they didn't regard them as "official government communication"), but it's probably defamation to imply that companies using the address are not legitimate just because some small sample of them are not.
To be fair, they never implied that a sizable portion of businesses using that address are illegitimate (though some people will read it that way). If I say "Twitter is in common use among ISIS members" that doesn't mean that most twitter users are ISIS members.
But even the source is incorrect. For registered address services you do have to verify company details.
It is only for generic mail forwarding services that you do not have to verify company details.
The difference being that the former is required to help disambiguate mail address to company officials from official government offices, and to ensure successful routing of mail to the correct person (failure to deliver mail from HMRC can result in substantial fines which would be a liability for Companies Made Simple).
The latter is no different from any mail box or mail forwarding service.
It seems that the anti-fraud organisation cited hasn't actually used the service and is unaware of the difference in proof required by them.
It's a trivially small fee and can be done online with Companies House in a very short amount of time and they will auto-notify HMRC in the same go.
For mail forwarding and registered office address... I honestly now think you should only consider one of three options:
1) Your work address if it is a sole-use mailbox and you know you will be there for more than a year.
2) Your accountants address (with their consent).
3) Your home address.
I would not now use a third party for the registered address, the risks are too high. There is no junk or spam mail sent to this address, it really is just actionable and important government communication from Companies House, HMRC, etc.
I'd be hesitant to use a home address as it goes on public record. If you rent then it can be against the terms of the tenancy contract to register a business at the address. Also you might move and someone else could get your post and potentially do bad things. Are these reasonable concerns?
If you're in short-term rental accommodation (1 year or less) or if you share a mailbox... then yes, these are concerns.
If you fail to respond to HMRC mail, you can be fined. i.e. missing reminders about a tax return, or PAYE info.
Both Companies House and HMRC will send authorisation codes to the registered address, and you can use these to change shareholdings, dissolve a company, make declarations that are untrue, etc.
You definitely need to trust the registered address a lot, and that trust needs to be stable.
I was planning to open a Barclays bank account anyway, so the minimal processing fee (£30) was basically null when Barclays gave me £40 to open their account. I was referred to them by a well known city-based accounting firm.
> After the first shock of seeing iCloud passwords stored in clear text(how hard would it be to encrypt them?)
Not going to defend shady businesses, but I dislike this knee jerk reaction without understanding the actual issue. I've seen software that encrypts (encrypts, not hashes) passwords for security™, but stores the secret in the database, too. Sure, technically they didn't store plaintext passwords, but practically they did.
What you could do to defend the passwords:
* hash them - doesn't work in this case, because it's not an authentication system
* symmetrically encrypt them - useless, the secret would be stored on the compromised server
* asymmetrically encrypt them - works, assuming the private key isn't stored on the server. Therefore, it's not possible to decrypt the passwords from within the application again
> We decided to sneak a peak. Logging in with the “mobiteam@icloud.com” apple ID and the password graciously provided in clear text, we have identified a typical QA team account...
This provides the 'break in the case' but it's based on illegal activity. Just because a company is acting unethically doesn't give researchers a legal shield. (Especially considering a quick search led me to the probable identity of the author.)
I came here to say the same thing. IANAL but it looks like if Apple wanted (which they probably don't) they could have them charged under the computer abuse and fraud acts, even if Apple doesn't act the DoJ still can. I can understand the researcher's desire to follow the trail but in attempting to unmask the criminal did they themselves not become one in the process? This is "Ends justify the means" type thinking which is really dangerous (Patriot Act anyone?).
Great write-up, even though some enthusiastic conclusions are far from solid.
>>>> the logo similarity convinced us beyond the shadow of a doubt that Mobisoft LTD is the development company behind mSpy
>>>> Why would mSpy move their data from Amazon ... Incidentally, in September 2014, the FBI has arrested a CEO of another spyware company called Stealth Genie ... Could the ease with which the US authorities were able to take down Stealth Genie has caused the Ukrainian company to move to an alternative infrastructure? We believe that the compelling answer to this question is obvious. Yes.
I think what would be interesting is to ask Lenovo why they commissioned Lenovo Browser Guard from a known spyware distributor, Conduit (one of the biggest and for a time nastiest Malware programs was Search Protect, which they make).
Proof: here’s a press release from Perion from June 2014 which announced that they partnered with Lenovo to create Browser Guard:
I liked the style and flow of this piece a lot. I sort of felt like I was left hanging at the end, though. There was no huge reveal or dramatic conclusion, just a bunch of arm waving and strong language.
I wonder if rewriting this so that the ending leaves more of a mystery might help the piece. As it is, I got the feeling the author was trying to tell a story that just wasn't there. Great tone and style, though, and worth the read. This new brand of "Nerd Detective Novel" is really cool. Would love to see more of it.
Thanks for the story, it was a nice read. However, the answer is at the beginning: The author of the software is exactly the guy he claims to be. Along with photo and an interview in the Forbes Magazine.
Yes, they use all kinds of fake companies for whatever purposes, but there's really no need to entangle it all.
It's great that at least some shady businesses are being exposed. However, the problem is that it's hard to get any public attention on it - they are relatively small, and it's hard to link any actual damage to these shady businesses, and even then, the victims are "spread out", and will find it difficult to litigate.
There's no pressure to stop such businesses, unless law enforcement do their thing properly. FBI and other gov't agencies have massive resources, why isn't more put on this sort of thing, instead of spying on the citizens illegally?
> > After the first shock of seeing iCloud passwords stored in clear text(how hard would it be to encrypt them?), we have seen something very interesting in the file:
I don't understand why that particular developer account caught their eye while browsing through a 13GB data set.
That is the old address for Companies Made Simple: http://www.companiesmadesimple.com/
They handle all kinds of services for tens of thousands of companies in the UK, from registration, to registered address and mail forwarding.
I know this, because I used them for my startup to handle the registered address. This is because official mail has to go somewhere and the address is a matter of public record. We were in a co-working space at the time and knew that we would move on when the time came, it's an annoyance to go around updating the registered address and unprofessional to have a co-working space as one.
That Companies Made Simple is used by bad actors isn't going to be a surprise, bad actors use nearly all service providers.
They are the largest provider of registered address services in the UK, it's not a surprise that the address is in "common use". That ignores the fact that the number of legitimate businesses that use the address vastly outnumber the illegitimate.
I dislike Companies Made Simple having used them (they nearly shredded our investors SEIS certs because they didn't regard them as "official government communication"), but it's probably defamation to imply that companies using the address are not legitimate just because some small sample of them are not.