SINGAPORE: A man who wanted to see HBO shows for completely decided to steal into meconnect transactions to get those with membership to the TV channel.
Using email addresses and passwords leaked in data vulnerabilities on various platforms, he improperly accessed more than 14,000 meconnect records before being nabbed.
Sufian Iskandar, 24, was sentenced to 15 months of probation on Monday ( Jan 20 ), which includes 60 hours of community service and a curfew.
He previously pleaded guilty to two claims under the Computer Misuse Act, with two more costs considered in punishment.
Mediacorp, which owns CNA, operates meconnect as the second registration system for the various digital platforms on which it delivers information to people.
On Jan 22 and 23, 2023, more than 10 million password calls to meconnect were made from an Internet address. Mediacorp observed this rise on Jan 25, 2023.
More than 14,000 special names were used to register into meconnect in these problems. All the transactions were found in the data from the information violation of the RedMart food delivery services.
Another wave of attacks between Feb 27 and Feb 28, 2023 involved more than 520,000 registration efforts, of which four succeeded.
Studies showed that Sufian had installed and configured an open-source program to split accounts using users ‘ credentials in a very quick manner.
He searched online and downloaded a list of leaked contact names and passwords apparently from victims of data breaches in Singapore.
He then used the open-source program to create a script to automate the process of logging into meconnect, and deployed it with the leaked qualifications.
Between Jan 17 and Feb 28, 2023, Sufian compromised a total of 14,105 meconnect records in this way.
According to Mediacorp, signup qualifications were never leaked from the program and no transaction data was compromised.
No wary credit cards activity was detected, and there was no evidence that information was exfiltrated, the jury heard on Monday.
Sufian was nabbed through his MyRepublic Internet address, from which the registration attempts were observed to have been made.
The Internet handle was a common one shared by many personal people at a time.
MyRepublic gave the police a list of 70 users who could have accessed meconnect at the time of the crimes. The policeman narrowed this down to six homes and visited each one.
On Mar 9, 2023, they visited Sufian’s house and found spying tools and codes related to the problems on meconnect on his system.
He admitted to the attacks and was arrested that morning.
Sufian even admitted to posting the leaked person certificates he had downloaded on a black online community favoured by thieves.
This was to receive” credits” so he could get another dataset presumably from ShopBack’s data violation.
A “KEEN INTEREST IN HACKING”
Sufian’s parole officer informed the court that his parole strategy involved control by his mother and older sibling, and regular checks on his website actions.
The parole officer said she would even work closely with Sufian’s school to become updated on what he was learning, and ensure he was using his hacking skills in a pro-social manner.
Defence attorney James Ow Yong said his customer had proposed using a professional staff monitoring technology to track his pc use during probation.
This software included 24/7 screen recording and keystroke logging, with alerts to flag suspicious activity in real time.
However, Deputy Public Prosecutor Emily Koh objected to probation and sought a short detention order.
She argued that Sufian was an adult offender who had not demonstrated an extremely strong propensity for reform.
She also said the offences were not out of character but a manifestation of his “keen interest in hacking”.
She questioned the feasibility of monitoring Sufian’s online activity through monthly family checks and the proposed software, given his proficiency at hacking.
Mr Ow Yong countered that Sufian had shown a desire to change and was learning about the ethics behind computer security and information technology at school.
The lawyer disagreed that the offences were not out of character. He said that Sufian’s interest was in cybersecurity, and not the illegal elements of his offences.
He also said that Sufian’s older brother, who held a degree in computer science and majored in cybersecurity, was qualified to monitor him, and that the frequency of checks could be increased.
District Judge Lee Lit Cheng said that a period of supervision where Sufian was accountable to his family and the probation officer would “hopefully lead to a better outcome” than a short detention order.
She also noted the probation officer’s findings that Sufian had expressed deep regret for his actions, had dissociated from negative cyber actors, and was willing to engage in ethical hacking.
Addressing Sufian directly, Judge Lee told him he had “more knowledge” of cybersecurity than those who would be supervising him, and that it was ultimately up to him resist the temptation to offend again.