Man admits phishing e-mail accounts to download films

David Schiavon, theoretically sound, but practically impossible. Do you know how many times I've found passwords on sticky notes in work places?

What I did was simple; got 2 of my favorite words added numbers and capitals where appropriate and I have an unbreakable 22 character password that I will always remember.

Guys.. Coming from a Security Awareness Environment, i urge all Users to make use of an alphanumeric type of password such as - CaNUBr3akPa$$7899 -- A Password like this would in turn help to have even better security controls. Guys be aware, online services are available to everyone and up to a certain extend online user accounts are subject to anonymous hacking, so beware and ensure that you have proper strong username & passwords. Also ensure that you have an antivirus installed on your PC and a proper FIrewall. Wireless Connections should also be properly secured and switched off when not use.

The chrime has nothing to do with phishing, it was an email sent in the name of one of our Local ISP's requesting the username and password of its clients or else their email account would close to save of server space. A lot of people fell to it, thinking it was real. They've sent their email's username and password, which are the same as the adsl's login accounts. He took all those accounts to get alot of download space to start downloading alot of films.

@A.Tabone - would you insist so had one email account this guy guessed username and password, been yours? Had he so accessed all your online correspondence, possibly now knowing all your confidential banking information, private letters intended to remain private, attached business documents, attached photographs, emails sent to your lawyer or medical practitioner.... it's impossible listing every possible email subject - and the serious consequences one might have to face for them falling in the wrong hands!

@Joe Fenech - no ISP is at fault here. It's only "John Brown's" fault if he doesn't change his password from "johnbrown" to one less guessable!

@Edward Bartolo - he didn't break into any server. He might hack hotmail email accounts (which have no relation to local ISP's whatsoever) in the same way.

The lessons to learn here are:

1) Never try, not even intending it as a joke, to attempt guessing one's password - it's a crime if you succeed no matter the reason why you did it or how easy it had been to hack.

2) For heavens sake, always use sensible and secure passwords - never family names, the name of your house etc...

In my opinion, a traffic offense such as excessive over speeding is a greater crime than this one, yet is treated with less harshness. What a waste of the valuable courts time and what an unbalanced justice system.

A certain ISP with a different means of transport than adsl can have transferable accounts, due to them not being accessible from a telephone line. This is the same thing as hijacking an unsecured wifi signal from your neighbour. This shouldn't have ended up wasting the courts time, this is a combination of the ISP and Subscriber being at fault. 1. the ISP not utilising a random alpha-numeric password at source when the customer applies for the service 2. The Subscriber not changing their password. One of the largest ISPs had made up a password on the spot utilising a combination of initials and location information as my password, until I felt inclined to change it immediately when I hooked up my account.

Secondly to all the people commenting on this article (which is not a BLOG and I wish people would stop calling it one) this issue is not about PIRACY even though it should have been. Possibly another case and another charge.

As Mario Camilleri said, this is not PHISHING!

Downloading per se is not a crime. It is the How and the Where that makes it a crime. Howevr in this case the crime consisted of breaking into other peoples accounts by guessing or finding passwords. In this sense it is similar to a burglar breaking into a house either by forcing open an aperture or by using a false key. Our criminal code had been rexcently amended in the sense that we have specific legislation in regards to computer missuse. One cannot access to other persons accounts withoput authorisation for wjatever reason even for mere browsing.

A. Saliba,
Well, you're more likely to be monitored by the FBI than by the Maltese Police, they just don't have the resources to monitor everybody.
Anne Bon
That law wouldn't really make sense, downloading films is considered theft in many countries.
Selling illegal copies is breach of copyright.

The crime is that he broke into the service provider's server - that is simply illegal.

People should appreciate and learn that it is their responsability to create a password that is difficult to guess. Using a child's name, a pet's name, a friend's name, a date of birth etc, is not a password at all. It is useless to have a secure connection if the chosen passwords are easy to crack.

Why doesn't the police investigate the service providers for poor security?!

@ A. Saliba: The download of material is not illegal, however.. The watching / using of said material IS: You can have as much material as you wish on a PC, as long as they have never been used! As soon as you watch / listen / use a file, you are breaking the law.

@the internet providers on this island... Inst it about time you changed the password form away from telephone numbers / surnames to something SECURE! And how about TRAINING / Setting up peoples wireless connections to secure connections?? especially when YOU provide the routers!

The title of this article is misleading.

"Phishing" is when someone sends an email falsely claiming to be someone else, usually an established company. What this man did is intelligently guess users passwords, this called a "brute force" attack.

Internet users should be aware of both risks; To protect against phishing it is advised to double check the source emails by phoning the company claiming to be sending it. To protect against people guessing passwords, try to make passwords longer and less obvious.

as far as i know if its for personal use its legal. it would be illegal if one made copies to sell etc...

Is downloading stuff legal in Malta? It seems like the man was only placed under probation for using other people's accounts and not for the downloading. Can anybody confirm this?

If This is true there is a huge problem with the isp's since net lines should be allocated to the line itself not the account created for example i have adsl i can use it from work even if at work we have adsl cos the line is allocated to the line it's self. And also other services plus what kind of accounts did he break? maybe via wireless from behind a door ? that is not infringement since the owner of the account left it open that is not hacking. that is free to air there is something not clear here maybe they where peer to peer accounts which on the other hand are not located in Malta therefore they are not breaking Maltese law. Plus how did he get into this? where isp's monitoring his ip and mac address if that is they case part of the fault should be of the isp's for a lack of security. And downloading film for own use is not illegal. what is illegal is selling or making profit out of them after the download.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. http://en.wikipedia.org/wiki/Phishing

Hardly surprising - the password assigned to my email and "web-space" by my _major_ ISP was simply my initial and surname!

This is plain and simple password guessing - not phishing. I'm surprised he admitted to phishing given the circumstances described in this article.