He hacked into Facebook accounts of mostly female victims for the purpose of asking for their friends’ nude photos, purportedly for breast cancer screening projects or modelling contracts.
Muhammad Rostam Rahim, a nightclub bouncer, pleaded guilty on Tuesday (22 May) to 37 charges of breaches under the Computer Misuse and Cybersecurity Act – including unauthorised access to and modification of computer material – and nine counts of cheating by personation.
Rostam is the first person ever to be convicted for phishing in Singapore.
Another 117 counts of a similar nature will be taken into consideration when the 28-year-old Singaporean is sentenced.
The court heard that Rostam hacked into the victims’ Facebook accounts between October 2015 and February 2018 after first browsing the accounts for their personal photos. Rostam also targeted those on the “friends list” of the accounts he hacked.
In all, 30 victims – mostly female and in their 20s – were either duped by Rostam or had their accounts hacked into by him, including his ex-girlfriend.
Rostam used two hacking methods to commit the offences. He would search for Facebook accounts that used Hotmail emails as their ID and check whether the account still existed. As Hotmail users who don’t use their email account for 270 days have their account terminated, their user IDs would be available for use. Hence, Rostam could register a new account with the same ID.
Once the account was registered, Rostam would use the reset password function on Facebook to send an email to the Hotmail account, which allowed him to change the password of the Facebook account. Rostam would then access the Facebook accounts without authorisation.
Rostam would also phish for login details by sending victims emails that appeared to be from legitimate institutions. He learned how to create phishing links from a YouTube video which he chanced upon.
As part of the phishing process, the victims would be sent email or links which would invite them to view photographs or participate in activities after keying in their login details to a page which mimicked an authentic Facebook page. After the victims entered the data, however, Rostam harvested their data to access their accounts illegally.
He also sent phishing links to those on the “friends list” of the accounts he hacked into so as to get their login details as well.
After he gained control of the accounts, Rostam would impersonate the users and ask their female Facebook friends to help with a breast cancer screening project. In some cases, he asked if the women were willing to carry out a “virtual mammogram” by sending front and side views of their breasts. He promised to reimburse the women with cash and gifts for their participation and that their photos would be deleted after use.
After the women sent photos of their breasts, they found out that the actual user had not asked for their photos. A police report was lodged afterwards.
Rostam also cheated a 20-year-old woman into handing over her nude photos for a supposed modelling contact. While impersonating the woman’s Facebook friend on 17 April 2016, Rostam asked the woman if she was interested in being a bridal model and requested for her nude photos, ostensibly to get her sizing for bridal gowns. The woman agreed to do so.
Later that same day, posing as the woman’s auntie through a hacked Facebook account, Rostam told the woman that she was suffering from breast cancer and that she wanted to spend more time with her. He asked the woman for partially nude and fully nude photos of her, claiming that they were needed to get her modelling contracts. As the woman had previously told her aunt that she was interested in modelling, she sent the nude photos without question.
Still posing as her aunt, Rostam lied to the woman that she was going to die soon and wanted to see her niece touch her private parts. As a result, her niece took a video of herself touching her private parts over her underwear and sent it to Rostam. The woman made a police report after she discovered the lie.
Similarly, Rostam cheated a 31-year-old woman into sending two nude photos by impersonating someone from a modelling website. The website, suicidegirls.com, lets aspiring models showcase their images – both nude and not – online for public viewing. He obtained the woman’s numbers from a Facebook chat of an account he hacked into and messaged her through WhatsApp using a temporary overseas number.
In February 2018, Rostam came across a Tumblr account which sold nude photos and sexually explicit videos. The account belonged to a 19-year-old male user. As Rostam believed the user was a woman, he started chatting with the user and later sent a phishing link to him in an attempt to get his Facebook login details.
When Rostam successfully obtained the details, he found that the user was a man. He then decided to blackmail the man into paying him $900, threatening to reveal his identity if he did not pay up.
The man filed a police report without paying the money. He is currently under investigation for the sale of sexually explicit videos online on the Tumblr account.
Rostam will next appear in court on 27 June.