Background:
During the recent development of an MQTT related security analysis tool, I came across an MQTT server run by "A stealth mode AI startup disrupting the on-demand economy" Jobox.ai which was exposing the messages between two national services dispatch companies, and the individual locksmiths.
Inspecting the MQTT server directly (dns, port scan, whois, etc) did not lead to any significant clues on the "owner", so I attempted to identify the party by looking at the content of the messages being passed.
After several minutes of review it because clear that there were two very distinct and concerning types of messages being passed. Both contained a URL in the message that gave me clues on who the parties involved might be.
{
"type": "APPLOZIC_02",
"message": {
"fromUserName": "Yossi [(469) 929-5770]",
"message": "Company: American Services
Job: 5WQ9S
Name: Amanubel
Phone1: 775-990-3367
Job Type: Car Lock-out
2002 TOYOTA Corolla Silver
Price: Service Fee 29.00 Price From: 19.00 - 200.00
Address: 1442 South Parker Road
Denver, CO 80231
Job
Notes: verify address @ Walmart Neighborhood Market
customer answered and said, HAVE TECH CALL ASAP PLEASE SEND K
Accept Click Below
http://dispatchlogin.net/link/j/1O6WY8QJ1Z/accept/1/1
Thank you
I offer hem 75 he’s saying company told hem 30$",
"createdAt": "Nov 10, 2018 11:57:39 PM",
},
}, {
"type": "APPLOZIC_02",
"message": {
"fromUserName": "Aaron [(619) 966-8194]",
"message": "JOB #JF7-4FP9 ACCEPTED \u0026 IN PROCESS
--------------------------------------
Job Details:
24/7 locksmith misha office Deloris (14702033616 #601)
2701 Peach Orchard Road, Augusta, Georgia 30906 Car Lock Out
Confirm: s1j.co/j/BT5CXY Notes:",
"metadata": {
"summary": "[{\"jobId\":206973,\"createdAt\":1541865334352,\"senderId\":1585,\"receiverId\":3717,\"notes\":\"\",\"fee\":0,\"tax\":6,\"id\":757218,\"fraction\":35,\"status\":\"ACCEPT\"}]",
"jobox_type": "JOB_STATUS",
"description": "24/7 locksmith misha office Deloris (14702033616 #601) 2701 Peach Orchard Road, Augusta, Georgia 30906 Car Lock Out Confirm: s1j.co/j/BT5CXY Notes:",
"receiver_name": "Aaron Hayman",
"job_reference_id": "JF74FP9",
"status": "ACCEPT"
},
}
Observations from the messages:
There are 3 items of interest in the messages above
APPLOZIC_02
Applozic is a Chat SDKs and Messaging APIs used to build Realtime Messaging that uses MQTT. I have found several Applozic servers during my research which are misconfigured to allow anyone to subscribe to the "#" topic and receive all messages.
s1j.co/j/BT5CXY
There where several messages which contained short URLs which redirected to the WorkIZ Field Service Scheduling Software site My initial reach out about the misconfiguration of the MQTT server were directed at WorkIz. After hearing back from them, it was identified that there is actually a 3rd party (jobox.ai) who is acting as a "broker" to the messages.
http://dispatchlogin.net/link/j/1O6WY8QJ1Z/accept/1/1
While I was waiting for a response back from WorkIZ, I decided to check out the dispatchlogin.net site (This investigation eventually led to the Data Breach discovery )
The DispatchLogin Mystery
While attempting to identify the corporate entity who owns the dispatchlogin.net site, it became clear that there was an obvious attempt to hide who owns and runs the site. (Whois privacy, DNS, HTML source of the login page. 1-800 reverse lookups, Backlink checking, Google Search etc).
Using one of my regular techniques, I attempted to look at the HTML source, and any images which were on the page. The end goal to check if directory listings where enabled.
<img src="http://dispatchlogin.net/assets/admin/img/logo_test.png/>
BINGO.
Directory Listings were enabled in the /assets/admin/img directory and several hundred images where present. In order to speed up the viewing of the images, used to determine who the company actually was, I set up my usual site downloader.
Unintented Discovery
After letting the downloader run, I had forgotten about it, and it ended up (surprisingly) running for several hours and downloading a few gigabytes of data.
After a few mins of reviewing the data it became clear that something was seriously wrong with the configuration of the server as well as the companies business practices of confidential data use. (Eg. PCI compliance)
The follow items were observed based on the data exposed:
- The company operated under several industry standard terms like: "Locksmith services" "American Services" "24 hour locksmith service"
- The company operated under several emails, several of which were generic gmail accounts
- There were images and PDFs of:
- Both sides of credit cards including CVV #'s
- Drivers Licenses, Passports, Military ID's
- Recording of calls between the dispatch and customers
- Emails between the Dispatch, Locksmiths, and customers
- Customer invoices
Note: **There was only a single reference in a set of files to a corporate entity which could be responsible for running the service. ** this eventually led me to the owner American IP Marketing
Researchers Dilemma
After an initial reach out to an email listed on the on some of the invoices, and letting them know of the misconfiguration, I became concerned about some of the wording used in the responses, the continued avoidance of identifying themselves, and the commitment to notifying their customers of the breach.
At that time I decided to notify the credit card companies directly, and inquire about how to get them the card numbers to notify their members.
It's now been over two weeks since the initial discovery, and both Visa, and MC have yet to take any action on the information of the breach that has been provided to them.
Makes you wonder why the merchant fees keep going up due to fraud but MC/Visa don't take timely action to prevent it when it's wrapped up in a bow and hand delivered to them.