A university student has been let off with a suspended prison sentence after being caught using a password-stealing tool to harvest user account logins for gaming websites.
Twenty-two year old Paul McLoughlin pleaded guilty to stealing passwords from at least 100 victims and 20 user accounts, including one at his own place of study, Salford University, the Metropolitan Police central e-crime Unit (PCeU) said.
McLoughlin tricked victims into downloading what was claimed to be a software key to bypass game licensing which had hidden within it the easily-available and effective Windows password stealing utility, iStealer.
Once installed, this tool was able to search for a range of passwords on the PC, including those for email, browsers, instant messaging, social networking, operating system login and his intended target, online gaming services.
The sentence handed down at Southwark Crown Court down was 8 months, suspended for a year, which might have been higher had McLoughlin been motivated by money – police believe his focus was entirely on how stealing logins could help in his gaming activities.
"A prosecution and conviction for this particular offence is rare,” said the PCeU’s Detective Inspector Colin Wetherill by way of warning ‘recreational’ hackers not to underestimate the consequences of such a crime in future.
"In our efforts to keep the internet a safe place we will actively investigate and seek to prosecute - in conjunction the CPS - online criminals making use of these techniques,” he said.
The activity of McLoughlin came to light after a US resident and iStealer victim contacted Salford University, which contacted the police.
Coming in the same week that two UK teens were given suspended sentences for far more serious crimes by the same court, the PCeU clearly wants to sent a message that what might to some appear minor crimes will still be pursued.
The case also underlines the way that tools such as iStealer represent a new front in DIY hacking. This program is easily available, can be used by non-programmers and there are even a number of tutorials offering advice on binding it to online database in order to automate the collection of stolen credentials.