Following a transnational law enforcement operation into spyware utilised by domestic violence perpetrators, a 24-year-old Australian man has been charged by police.
It is reported that the man created the software, a Remote Access Trojan (RAT) labelled 'Imminent Monitor', when he was only 15 years old.
The software, once installed on a victim's computer, would allow a user to control the targeted device and steal their personal information or spy on them by turning on the device's webcam and microphone. In other words, the software is a hacking program.
It could also log keystrokes, which would enable users to detect what their victim was typing in emails and other documents.
The spyware could be installed in numerous ways, with the most prominent way being 'phishing'.
This involves duping a victim into opening an email or text message, which leads to the RAT being installed.
During their investigation, the Australian Federal Police identified victims who were targeted by the software, as well as offenders who bought it.
The man sold the spyware to 14,500 individuals across 128 countries, with the AFP identifying 201 Australians.
The software could be used for financial gain, as well as "very intrusive and despicable crimes" as explained by AFP Commander Cybercrime Operations, Chris Goldsmid.
14.2% of Australia-based PayPal purchasers of the RAT were named as respondents on domestic violence orders.
The software cost roughly $35 (AUD) and was advertised on forums dedicated to hacking.
The man made between $300,000 – $400,000 from selling the spyware.
A team of cybercrime investigators worked on gathering intelligence regarding the spyware in order to shut it down – which the AFP successfully completed in 2019.
Once the AFP shut down the RAT in 2019, it stopped operating on all devices across the globe.
In 2019, the AFP received intelligence, which would lead to the Australian man's arrest.
Seach warrants were executed at the man's home, with investigators seizing a number of devices including a custom-built computer which contained code consistent with the development and use of the RAT.
The man was charged with numerous counts of producing and supplying data with intent to commit a computer offence.
He was also charged with aiding, abetting, counselling, or procuring the commission of an offence, (namely the unauthorised modification of data to cause impairment) and dealing with proceeds of crime.
Notably, whilst it was not a crime for persons to purchase the product, it is a crime to install the spyware on a victim's computer without their consent.
HOW TO PREVENT YOURSELF FROM CYBER CRIME AND HACKING?
To protect yourself from spyware, it is important to ensure that your devices' software and operating system are up to date, and that you only download apps and software from sources you can trust.
It is also important to avoid clicking on suspicious links or emails, and to keep your webcam covered when not in use.
If a device is infected, you may be able to tell where the internet is unusually slow, unknown processes are running or unknown programs are installed, and files have been modified or deleted.
The use of spyware, without the consent of a user, is considered 'cybercrime'.
CYBER CRIME AND HACKING STATISTICS IN AUSTRALIA
The Australian Cyber Security Centre received over 67,500 cybercrime reports, in the 2020 – 2021 financial year, which presents a 13% increase from the year prior.
These figures indicate that there is roughly one report of a cyber-attack every 8 minutes.
IS HACKING ILLEGAL?
The Commonwealth Criminal Code Act 1995 (Criminal Code) prescribes multiple computer crime hacking offences warranting imprisonment, fine and convictions. This includes hacking without consent. Below we outlined the types of cyber crimes and their penalties in Australia.
WHAT IS CYBER CRIME?
Cyber crime is the unauthorised access, use or modification of data, including the destruction of data or impairment of electronic communication. These cyber crimes or computer crimes have been criminalised thanks to the Criminal Code.
AUSTRALIA CYBER CRIME TYPES AND LAWS | COMPUTER CRIME
Below is an outline of some of the various types of cyber crimes in NSW and equally applicable across States and Territories of Australia. The penalties range from 3 to 10 years imprisonment.
Producing, Supplying or Obtaining Data with Intent for Data to be Used to Commit a Serious Computer Offence
It is an offence to produce, supply or obtain data with intent for that data to be used to commit a serious computer offence, or facilitate one, as per section 478.4 of the Criminal Code Act 1995 (Cth) (Criminal Code).
A maximum penalty of 3 years imprisonment is applicable.
It is immaterial whether the serious computer offence was possible to commit or not.
Producing, supplying, or obtaining data includes reference to data contained in a computer, data storage device or document.
Serious computer offences are outlined in Division 477 of the Criminal Code. Some of these are outlined below.
Unauthorised Access, Modification or Impairment with Intent to Commit a Serious Offence
As outlined in section 477.1, it is an offence to cause any unauthorised access, modification or impairment of data held in a computer or electronic communication to or from a computer.
The prosecution must prove that the accused knew the access, modification or impairment was unauthorised and that the person intended to commit, or facilitate the commission of, a serious offence by the access, modification, or impairment.
However, it is not necessary for the prosecution to prove that the accused knew the offence was an offence against a law of the Commonwealth, a State, or a Territory, or a serious offence.
A serious offence is an offence punishable by a period of up to 5 or more years of imprisonment.
The maximum penalty applicable, will be that which corresponds to the relevant serious offence outlined below.
Unauthorised Modification of Data to Cause Impairment
Section 477.2 specifically criminalises the unauthorised modification of data held in a computer.
Modification entails the alteration, removal, or addition of data.
The prosecution will need to prove that the accused knew the modification was unauthorised and that they were reckless as to whether the modification would impair access to data held in any computer or the reliability, security, or operation, of any such data. This carries a maximum penalty of up to 10 years of imprisonment.
However, a person may be guilty even if there was no actual impairment to the data.
Unauthorised Impairment of Electronic Communication
Section 477.3 specifically criminalises the authorised impairment of electronic communication to or from a computer, with the prosecution required to prove that the accused knew that the impairment was unauthorised. This carries a maximum penalty of up to 10 years of imprisonment.