SINGAPORE,. A 28-year-old man who phished for online users’ personal data became the first person to be prosecuted for violations of the Computer Misuse and Cybersecurity Act.
Yesterday, Muhammad Rostam Rahim pleaded guilty to 46 of more than 160 charges, including cheating by personation. Four counts were for collecting Facebook log-in credentials from unsuspecting users via phishing links that look identical to the social media site.
The court heard that he logged in to his victims’ Facebook accounts and interacted with friends of the victims to ask for photographs of their breasts, pretending that he either represented a modelling agency or was running a breast cancer screening campaign.
At least eight victims aged between 18 and 28 responded to his requests, thinking that they were sending the pictures to someone they know.
Between October 2015 and February 2018, he committed the offences against at least 18 victims.
Rostam, a bouncer at a nightclub, was able to do this partly due to a weak link between Facebook and Hotmail accounts that were not in use.
Court documents did not state when or how his crimes were discovered, but an Institute of Mental Health report on Dec 7, 2016 certified that he was diagnosed with fetishism.
In one particular case on April 17, 2016, Rostam gained access into the Facebook account of a 23-year-old female friend, and used it to reach out to a 20-year-old woman who was interested to be a bridal model.
Rostam asked for photos of her naked body so that he could “know her sizes” and determine which bridal gowns would fit her properly. The woman sent them believing that she was communicating with her female friend.
Rostam later took control of the woman’s aunt’s Facebook account, and told the same 20-year-old on that same day that he (pretending to be the aunt) was suffering from breast cancer and wanted to spend more time with her.
He then asked for photographs of her in her underwear and more pictures of her, explaining that these would be used to get her modelling contracts.
The victim was not suspicious because she had previously told her aunt that she was interested in modelling, and sent those photos along with a video.
Exploiting loophole in Hotmail, Facebook
The court heard that there were two ways Rostam managed to gain access to the social media accounts of his victims.
One is by exploiting a vulnerability present in Facebook accounts that use a Hotmail email address as a log-in credential.
If a Hotmail user does not use his email account for more than 270 days or does not log into the account within 10 days of signing up for the account, it is deactivated and terminated.
This means that the Hotmail username becomes available to be selected by another user, which can be registered as a new email account by that user.
Rostam would search for Facebook accounts which use Hotmail sign-ins, check with Hotmail if the account still existed, then register for a Hotmail account using the user ID if it had been terminated.
Rostam would then use the “reset password” function on Facebook to send an email to the associated Hotmail account that he managed to register.
Another method of his was picked up from watching a YouTube video. He learnt to set up phishing links, which he used to get unsuspecting Facebook users to reveal their usernames and passwords.
These links invited victims to view photographs or take part in personality quizzes on the condition that they must key in their Facebook log-in credentials.
These links were generated by a third-party website Rostam was using, which offered him a selection of websites to imitate, and Facebook was one of them.
After Rostam gained access to his victims’ account using this method, he went further by sending the phishing links to different individuals on their “friends” list in attempts to obtain their log-in credentials as well.
Rostam, who was not represented by a lawyer, will return to court at a later date for sentencing.
For the charges of cheating by personation, he could be jailed up to five years and/or fined.
For obtaining the log-in credentials, he faces up to three years’ jail and/or a fine of up to S$10,000.
For each charge of accessing his victims’ Facebook accounts, he could be jailed for up to another two years or fined another S$5,000.
For each password he changed, he faces a jail term of up to three years or a fine of up to S$10,000.