Hacker used stolen names, passwords to buy things online

Lim Jun Quan, 23, was jailed for 28 months yesterday after pleading guilty to 20 charges, including computer misuse, conspiracy to dishonestly receive stolen property and cheating by personation.
Lim Jun Quan, 23, was jailed for 28 months yesterday after pleading guilty to 20 charges, including computer misuse, conspiracy to dishonestly receive stolen property and cheating by personation. PHOTO: ST FILE

A computer hacker who found out the user names and passwords of 30 website customers spent more than $70,000 of their money on assorted goods.

Lim Jun Quan, 23, was jailed for 28 months yesterday after pleading guilty to 20 charges, including computer misuse, conspiracy to dishonestly receive stolen property and cheating by personation. Another 154 charges were taken into consideration during sentencing.

A district court heard that Lim researched hacking tools online and used one particular program to attack four vulnerable Singapore- based websites, which cannot be named.

His complex modus operandi involved him using trial and error to painstakingly work out which of the websites' users had the same user name and password combinations for their e-mail accounts as they did for their accounts on online marketplace websites.

He would use the accounts to buy items like mobile phones, Samsung tablets, watches and wallets.

The items were delivered to the home of an accomplice, Gabriel Tan Li Qun, 20. They were then sold, and the proceeds split.

This was to avoid detection as Lim and another accomplice, Leong Jia Hao, 20, did not want to have items bought using compromised Groupon accounts delivered to their homes.

Deputy Public Prosecutor Suhas Malhotra said Lim was able to charge the payments for unauthorised transactions to the victims' credit cards.

"Jun Quan primarily exploited not human naivete, but a technical vulnerability in a computer system," he said.

"If left unchecked, offences like those committed by Jun Quan would immediately damage not only Singapore's burgeoning e-commerce industry, but also our reputation in the field of cybersecurity.

"He taught himself the skills and performed the function. This is not just an offender who is self-taught. This is an offender whose criminality is evolving over time... becoming more and more cunning."

Lim was placed on probation in January 2014 for computer misuse, but re-offended shortly after that.

He committed three separate tranches of offences while on probation, under police investigation and on court bail respectively.

District Judge Shawn Ho, who backdated Lim's sentence to his remand on March 31, said that the Internet is a new crime scene, and the case was a reminder for everyone to take cybersecurity seriously.

DPP Suhas, who had sought a sentence of 30 to 36 months in jail to be imposed, said that Lim's offences were unprecedented, highly aggravated and deliberate, with a high degree of pre-meditation and planning.

He said that Lim, an "intelligent and resourceful criminal'', had put thought into the offences.

Lim's lawyer Alice Tan said her client, who had been addicted to gambling since he was 14 years old, had cooperated with the police, even though he had taken steps to evade detection.

She asked the court to give him a chance to prove himself again, not in this realm, but using the intelligence that he has for a good cause.

"We are dealing with a high-intelligence person before us. He has realised since March 31 that if he had used his knowledge elsewhere, he would excel," she said.

Both Tan and Leong have been given probation of 27 months for their roles in the crime.

The maximum punishment for an offence under the Computer Misuse and Cybersecurity Act is a $10,000 fine and three years in jail.

A version of this article appeared in the print edition of The Straits Times on August 18, 2016, with the headline 'Hacker used stolen names, passwords to buy things online'. Print Edition | Subscribe