SINGAPORE: A man who wanted to watch HBO shows for free decided to hack into meconnect accounts to find those with subscriptions to the TV network.
Using email addresses and passwords leaked in data breaches on other platforms, he illegally accessed more than 14,000 meconnect accounts before being nabbed.
Sufian Iskandar, 24, was sentenced to 15 months of probation on Monday (Jan 20), which includes 60 hours of community service and a curfew.
He earlier pleaded guilty to two charges under the Computer Misuse Act, with two more charges considered in sentencing.
Mediacorp, which owns CNA, operates meconnect as the single login system for the various digital platforms on which it delivers content to audiences.
On Jan 22 and 23, 2023, more than 10 million login requests to meconnect were made from an IP address. Mediacorp observed this spike on Jan 25, 2023.
More than 14,000 unique usernames were used to log into meconnect in these attacks. All the accounts were found in the dataset from the data breach of the RedMart grocery delivery service.
Another wave of attacks between Feb 27 and Feb 28, 2023 involved more than 520,000 login attempts, of which four succeeded.
Investigations showed that Sufian had downloaded and configured an open-source programme to crack accounts using users’ credentials in a very fast manner.
He searched online and downloaded a list of leaked email addresses and passwords purportedly from victims of data breaches in Singapore.
He then used the open-source programme to create a script to automate the process of logging into meconnect, and deployed it with the leaked credentials.
Between Jan 17 and Feb 28, 2023, Sufian compromised a total of 14,105 meconnect accounts in this way.
According to Mediacorp, login credentials were not leaked from the system and no payment information was compromised.
No suspicious credit card activity was detected, and there was no indication that data was exfiltrated, the court heard on Monday.
Sufian was nabbed through his MyRepublic IP address, from which the login attempts were observed to have been made.
The IP address was a public one shared by several residential users at a time.
MyRepublic gave the police a list of 70 subscribers who could have accessed meconnect at the time of the offences. The police narrowed this down to six households and visited each one.
On Mar 9, 2023, they visited Sufian’s house and found hacking tools and scripts related to the attacks on meconnect on his computer.
He admitted to the attacks and was arrested that day.
Sufian also admitted to posting the leaked user credentials he had downloaded on a dark web forum favoured by hackers.
This was to obtain “credits” so he could download another dataset purportedly from ShopBack’s data breach.
A “KEEN INTEREST IN HACKING”
Sufian’s probation officer informed the court that his probation plan involved supervision by his mother and older brother, and monthly checks on his online activities.
The probation officer said she would also work closely with Sufian’s school to be updated on what he was learning, and ensure he was using his hacking skills in a pro-social way.
Defence lawyer James Ow Yong said his client had proposed using a commercial employee tracking software to monitor his computer use during probation.
This software included 24/7 screen recording and keystroke logging, with alerts to flag suspicious activity in real time.
However, Deputy Public Prosecutor Emily Koh objected to probation and sought a short detention order.
She argued that Sufian was an adult offender who had not demonstrated an extremely strong propensity for reform.
She also said the offences were not out of character but a manifestation of his “keen interest in hacking”.
She questioned the feasibility of monitoring Sufian’s online activity through monthly family checks and the proposed software, given his proficiency at hacking.
Mr Ow Yong countered that Sufian had shown a desire to change and was learning about the ethics behind computer security and information technology at school.
The lawyer disagreed that the offences were not out of character. He said that Sufian’s interest was in cybersecurity, and not the illegal elements of his offences.
He also said that Sufian’s older brother, who held a degree in computer science and majored in cybersecurity, was qualified to monitor him, and that the frequency of checks could be increased.
District Judge Lee Lit Cheng said that a period of supervision where Sufian was accountable to his family and the probation officer would “hopefully lead to a better outcome” than a short detention order.
She also noted the probation officer’s findings that Sufian had expressed deep regret for his actions, had dissociated from negative cyber actors, and was willing to engage in ethical hacking.
Addressing Sufian directly, Judge Lee told him he had “more knowledge” of cybersecurity than those who would be supervising him, and that it was ultimately up to him resist the temptation to offend again.
