SINGAPORE, July 31 — A 28-year-old nightclub bouncer carried out an elaborate phishing plot to trick women into sending him their nude photographs by pretending to be their Facebook friends.

Muhammad Rostam Rahim committed the offences for over two years, from October 2015 to February this year.

Thirty-one people fell victim to his ruse – at least eight of whom sent pictures to him thinking it was to someone they knew.

Court documents did not state when or how his crimes were discovered.

Rostam was the first person to be prosecuted for violations under the Computer Misuse and Cybersecurity Act, and yesterday, he was sentenced to three years and five months’ jail. He was also fined S$5,000 (RM14,906.50), and will stay behind bars for two more weeks if he is unable to pay it.

Rostam had pleaded guilty in May to 46 out of 163 charges. The remaining charges were taken into consideration for sentencing.

He admitted to cheating by impersonation, including collecting Facebook log-in credentials from unsuspecting users via phishing links that look identical to the social media site.

Phishing is a method of collecting sensitive data, such as banking, credit card details and social media passwords, from victims by posing as a legitimate institution.

The court heard in May that Rostam logged in to his victims' Facebook accounts and interacted with friends of the victims to ask for photographs of their breasts. He pretended that he was representing a modelling agency, or was running a breast cancer screening campaign.

Rostam was able to do this partly due to a weak link between Facebook and Hotmail accounts that were not in use.

If a Hotmail user does not use his email account for more than 270 days or does not log into the account within 10 days of signing up for the account, it is deactivated and terminated. This means that the Hotmail username becomes available to be selected by another user, which can be registered as a new email account by that user.

Exploiting this, Rostam would search for Facebook accounts which use Hotmail sign-ins, check with Hotmail if the account still existed, then register for a Hotmail account using the user ID if it had been terminated.

He would then use the "reset password” function on Facebook to send an email to the associated Hotmail account that he managed to register.

He also picked up a phishing method from a YouTube video where he learned to set up phishing links, which he used to get unsuspecting Facebook users to reveal their usernames and passwords.

These links invited victims to view photographs or take part in personality quizzes, provided they key in their Facebook log-in credentials. He generated these links through a third-party website, which offered him a selection of websites — including Facebook — to imitate.

After he gained access to his victims' account using this method, he went further by sending the phishing links to different individuals on their "friends" list in attempt to obtain their log-in credentials as well.

In one particular case on April 17, 2016, Rostam gained access to the Facebook account of a 23-year-old female friend, using it to reach out to a 20-year-old woman on her friends list and who wanted to be a bridal model.

Rostam asked for photos of her naked so that he could "know her sizes” and determine which bridal gowns would fit her properly. The woman sent them to him, believing that she was communicating with her female friend.

He later managed to take control of the woman's aunt's Facebook account. Pretending to be her aunt, he told the same 20-year-old on that same day that "she” was suffering from breast cancer and wanted to spend more time with her.

He then asked for photographs of her in her underwear and more pictures of her, explaining that these would be used to get her modelling contracts.

The victim was not suspicious as she had previously told her aunt that she was interested in modelling, and sent those photos along with a video.

While still pretending to be her aunt, Rostam also told the victim that he was going to die soon and that he wanted to see her touch her private parts. Again, she took a video of herself and sent it.

In passing sentence, District Judge Jasvender Kaur noted the prevalence of phishing, the "serious invasion of privacy” and large number of victims. Rostam had also reoffended after initially being charged in December 2017.

While an Institute of Mental Health report on Dec 7, 2016 certified that Rostam was diagnosed with fetishism, the judge said that he had full control of himself, as evidenced by the "high degree of planning and premeditation”.

For cheating by personation, Rostam could have been jailed up to five years and/or fined for each charge. For obtaining the log-in credentials, he could have been jailed up to three years and/or fined up to S$10,000.

For each charge of accessing his victims' Facebook accounts, he could have been jailed for up to another two years or fined another S$5,000. For each password he changed, he could have faced a jail term of up to three years or a fine of up to S$10,000. — TODAY