Hacker spent $70k using victims' e-mails, Paypal and Groupon accounts
First person to be convicted for using hacking to commit financial crime in S'pore gets 28 months' jail
Self-taught in hacking techniques, this online criminal illegally gained access to websites, stole their customers' log-in credentials and logged into these people's e-mail, PayPal and Groupon accounts.
From there, he made over $70,000 worth of purchases without his victims knowing, taking extra care to avoid detection by connecting to the Internet through tethering on his mobile phone via prepaid SIM cards.
Lim Jun Quan had no regard for the law - he did all this while on probation, having been earlier convicted of similar offences under the Computer Misuse and Cybersecurity Act.
Even when he was arrested again for fresh offences and released on bail, he continued his criminal ways.
Yesterday, Lim, 22, was jailed 28 months for 20 offences such as modifying computer material without authorisation, cheating, illegally accessing people's accounts and conspiring to receive stolen property.
There were 154 other charges taken into consideration for sentencing.
He is the first person to be convicted for using hacking to commit financial crime here.
In January 2014, Lim, who was then serving his national service, was sentenced to 18 months' probation for illegally accessing people's PayPal accounts, the court heard.
Instead of learning his lesson, Lim broke the law again just a month later, after researching about hacking tools online.
First, he downloaded one such program - which cannot be named due to a gag order to prevent copycats - and used it to extract information from a local website.
The stolen database of information contained the usernames and passwords of people who had accounts with the site.
Lim tried these username-password combinations on online transaction sites such as Groupon, PayPal or Qoo10 and gained access to 18 of them.
Between February and June 2014, he used the 18 accounts to make purchases worth about $48,320.
After receiving reports from several users that their accounts had been hacked, police found that the items, such as Samsung mobile phones and Bottega Veneta wallets, had all been delivered to an address in Choa Chu Kang - the home of Lim's friend, Gabriel Tan Li Qun.
It turned out that Lim was in cahoots with Tan and another friend, Leong Jia Hao, who were helping him receive the stolen goods and selling them off.
Lim was arrested on June 21, 2014, but he continued re-offending until he was finally jailed yesterday. His accomplices, Tan and Leong, both now 20, were sentenced earlier to 27 months' probation each.
Experts: He used common hacking tool
He may have hacked into multiple websites, but what serial hacker Lim Jun Quan used was a common hacking tool, cybersecurity experts told The New Paper yesterday.
Structured Query Language (SQL) injections, used by Lim, are one of the most prevalent and dangerous forms of web attacks, said Associate Professor Hugh Anderson from the National University of Singapore (NUS) School of Computing.
Prof Anderson said that this method of gaining sensitive data is so easily accessible that any technologically-adept youngster at age 12 and above would be able to do it.
"It is not a highly technical thing that (Lim) has done and anyone could have done it," he said, before sharing information that we cannot publish as it might be used by copycats.
Improperly-coded web applications could also enable hackers, such as Lim, to steal people's private account information, said Mr Mohan Veloo, vice-president of F5 Networks' Asia Pacific technology division.
Mr David Freer, vice-president of Intel Security's Asia-Pacific consumer division, said: "It is an attack whereby an attacker can execute malicious SQL commands to take control of a web application's database server."
This is especially dangerous since web applications use a back-end database to store critical personal information like usernames, passwords and credit card numbers.
"As the digital revolution brings more devices online, the frequency of attacks will continue to increase and grow in sophistication," he said.
Mr David Maciejak, Fortinet's head of FortiGuard Lion Asia-Pacific research and development team, , said that in such attacks, the onus is on businesses to keep their customers safe.
"The only way to have a proper level of security is for the website to deploy two-factor authentication (2FA).
"SMS-based 2FA is relatively easy to deploy, and is still safer than purely using a password for authentication," he said. - Annabelle Zhang
DPP: Serial hacker 'extremely dangerous'
Intelligent, resourceful and extremely dangerous.
That was how Deputy Public Prosecutor (DPP) Suhas Malhotra described serial hacker Lim Jun Quan in his submissions yesterday.
DPP Suhas also said that Lim showed a willingness to re-offend even when faced with repeated police investigation.
Not just that, his criminality evolved with time and he became more and more cunning over time, such as taking steps to evade detection, said DPP Suhas.
Defence lawyer Alice Tan said in mitigation that her client was forthcoming during investigations and was remorseful.
He spent $18k using victim's PayPal
While out on police bail, sometime after June 2014, serial hacker Lim Jun Quan found a list of vulnerable websites on a forum online.
He hacked into these websites and extracted a list of e-mail addresses and corresponding passwords.
Using one of these e-mail-password combinations, he accessed a woman's PayPal account and made 46 transactions worth $17,976, including buying online game credits to sell off.
He also accessed her e-mail account using the same password and set up a filter to divert away e-mails sent by PayPal so that she would not be notified that her account was being used.
Lim even accessed her Singtel account, got a copy of her phone bill and submitted it to PayPal as "validation", court papers said.
He also created a Carousell account - a marketplace app - in her name and bought three iPhone 6s Plus from a seller known as Shaman.
He transferred $3,783 to the seller in 13 payments via the woman's PayPal account.
Lim, posing as the woman's cousin, collected two of the phones from the seller and was supposed to collect the third one in September last year.
Meanwhile, the woman found out that her account was hacked and she made a police report. PayPal also contacted the seller and advised him to do the same.
Police instructed Shaman to keep his appointment with Lim, who was supposed to collect his third iPhone on Sept 3.
But Lim sent a friend instead - Mr Chua Yee Hern, 21, who was promised $100 to help pick up the phone.
Mr Chua was arrested when he went to the meeting place. He told officers what he knew.
Police went to Lim's home and nabbed him. But by then, Lim had thrown away the SIM card he had used to contact Mr Chua and reformatted his mobile phone and computer.
However, he was forthcoming about his crimes when the police questioned him.
Lim was charged in court in September last year, but he offended yet again in December, when he cheated a man of $730 in the guise of selling him online game credits.
He was finally put away yesterday.