How to identify Spy Software Scams
Competitive intelligence (“CI”) is a vital business activity that every company should be engaged in, to some degree or another, in order to remain competitive. With CellSpy, the top-rated child and employee monitoring app, being our most popular product, the lion’s share of our CI budget is devoted to the detection of new spyware products and the monitoring of existing spyware vendors. An integral part of that CI effort is the purchasing of competing spyware products for examination and analysis. All but a handful of those purchases are made online, from websites accessible to the general public.
Despite the fact that there has been an exponential growth in the number of websites offering spyware products, most of those websites are operated by resellers (and affiliates) of a relatively small number of genuine spyware developers. One of the most time-consuming aspects of our CI effort is determining (with as little cost as possible) whether a newly detected website is offering a new product, whether it is a reseller of an existing product or whether it is a fraud advertising a non-existent product. Thankfully we’ve been able to avoid being taken for a complete ride, but we too have been deceived by a number of unscrupulous website operators who have failed to deliver on their promises. So how does one know if a spyware vendor is genuine or not?
Definite Indicators of Fraud
“No Access Required”
Stay clear of any website or advert claiming that one does not need physical access to the device one wishes to monitor. While it is definitely possible for certain spyware products (including CellSpy) to be installed and setup remotely, this does not mean that the customer will not need physical access to the target device. The remote installation process cannot be hidden and it requires the cooperation and consent of the remote user.
The two most common “no access required” frauds that we’ve encountered are those that claim you can install spyware on your own device and then either call or SMS the target phone to gain instant and complete access or that no software needs to be installed at all (or if any software needs to be installed, it must be installed on your computer) and that you are able to access the target device simply by inputting the target’s phone number into a webpage or application running on your computer. Amazing.
“Works on Any and All Devices”
Any person that develops software – particularly software for mobile phones – will tell you that there is no such thing as a one-size-fits-all application that will work on all devices. There are dozens of mobile phone operating systems and development platforms, and numerous iterations and distributions of each, and when it comes to developing mobile software, a developer needs to know exactly which devices he or she is developing an application for in order to select the correct development kit and use the appropriate API.
It isn’t even the case that all phones from one manufacturer are compatible – in fact, to use Nokia as an example, the Lumia models are more closely related to the latest Blackberry devices. They are completely incompatible with older or even current Nokia models like the Asha that uses a version of Nokia’s Symbian Series 40 operating system which dates back to the late 90’s. If a person wanted to develop software that would could work just on all Nokia devices, it would require at least a dozen versions of the same software developed independently for (or ported to) the following platforms:
Many phone models, though still in use, have been discontinued by their manufacturer along with the specific breed of operating system they were using. A great example is Blackberry, whose Bold and Curve ranges that used Blackberry OS4-7 are still available in stores, but are essentially no more. Although we still sell software for these devices, no further development or upgrades have been done for months since we would be unlikely to see any financial benefit. And there would be even less financial benefit in developing CellSpy for obscure brands and devices.
Some might argue that it is possible to create apps using platforms such as Java or browser-based technologies that are widely supported by most phone manufacturers, and they would be right in that Java midlets and web-based apps will run on most phones, but the fact is that these types of apps must run through emulators, virtual machines or upon other system layers and are therefore prevented from interacting directly with or controlling critical elements of the operating system and device hardware. This makes them simply incapable of performing some of the most basic functions required of stealthy spyware. Period.
If an advert or website claims that their product will work on all phone makes and models then beware – at best they’re idiots and at worst they’re frauds – either way, you’re unlikely to come out on top. Here’s a site I found a while back (riding on our brand name, CellSpy) whose product is not only compatible with all handsets in existence but will even work on Chuck Norris and a banana milkshake (www.cellspyarsenal.com):
Warning Signs and Red Flags
Being ripped off is an awful experience, but one doesn’t just need to be scammed by a fraudster to suffer a loss. Purchasing a product from a company that provides no support, inadequate or incorrect instructions, incompatible software or malware can be even worse than paying a crook for software and not receiving it. Apart from losing your money (as with a fraud) you’ll probably waste precious time trying to figure things out and problem-solve issues without any guidance, you would increase the risk that the target user might discover the spyware, you could potentially erase or corrupt the target user’s data, render the target device unstable or unusable, and you may also be exposing the target user and that person’s private information to threats, exploitation and compromise. Here are a few things you should definitely look out for when considering the trustworthiness and credibility of an online vendor…
Security and Trust Seals
Due to the prevalence of online scams, security companies and others offer validation and verification services to vet the website operator and assess their operation in terms of privacy, security, trust, reliability and reputation. Such services as TRUSTe, Norton, Verisign, BBB and others will scrutinize the website owners, their credentials and bona fides and if successfully vetted, will allow the website operator to display a trust or security seal on their web pages. These seals and badges are intended to demonstrate to visitors that the website is operated by a genuine business with verifiable contact details and place of business.
I’m not trying to say that one should not trust a website that does not display these trust seals. Not at all. The fact is that these seals are relatively expensive to obtain and are generally only available to registered companies, so Joe the Plumber, working for himself may well be a stand-up guy but simply cannot afford a trust seal or does not qualify because he is a sole proprietor. What I’m warning against are those websites that display trust seals when in fact they have not been permitted to do so. So how can one tell?
Easy. Clicking the trust seal should take you to a web page that is operated by the trust service, and it must validate the website from which you came. For example, on the Intertel website, clicking the Norton Secured trust seal will open a window that has “https://trustsealinfo.websecurity.norton.com/…” in the address bar. Check that the connection is secured by SSL (you should either see a lock icon on the address bar or a green colored address bar to indicate the connection is secure). Similarly, our TRUSTe, GeoTrust, Webutation and WOT seals will open windows on those respective websites that confirm our bona fides.
If you click a trust seal and no window opens or a window on any site but that of the trust seal issuer then you can be fairly certain that the seal is bogus or that it has expired and the website is using the seal without permission.
A genuine website will want you to interact with them and website operators that want to provide great service would be grateful for feedback, suggestions and complaints. If its an online business, particularly a small to medium enterprise, then you’d expect this to be even more true. The web is a highly competitive marketplace and if customers are not able to contact a potential supplier with ease, they’re more likely to look elsewhere than to persist in making contact or wait days (or even hours) for a response.
Since many genuine and useful websites are owned by individuals working from home, or are virtual services that do not have a public office, brick-and-mortar store or showroom, it would be unfair to classify the quality of a website or its products based solely on whether they provides a physical address and landline telephone number. That said, there needs to be a measure of disclosure that enables a visitor to understand what type of an operation he or she is dealing with and to be able to trust the operator of that website with personal information and more.
Providing little or no contact information apart from an online form or an email address is an immediate warning sign for me, and even though that, in and of itself, is not necessarily an indicator of deception or malice, I’d personally rather not do business with someone if they’re not immediately contactable. What if I need urgent assistance? What if there’s a problem with my transaction?
Things are seldom either black or white so rushing to judgement and dismissing a website based on a lack of contact information alone may not always be in one’s best interests. By the same token, assuming a website is legit simply because they display what appears to be comprehensive contact information may also not be to one’s benefit. I’m an investigator by vocation so its almost second nature for me to check information and I do this every time I intend to transact with a new entity. We’ve identified countless websites that provide telephone numbers, physical office addresses, manned live chat services and the works, but when one examines the contact details more closely, it becomes apparent that things are not as they seem. Granted, Joe Public probably doesn’t have access to the types of information sources that investigators and others in our industry do, but using Google and a few free online tools one should be able to gather enough information to either support or caution against continued interest in the site (we’ll cover some of these tools in a follow-up post in the near future, so stay tuned).