Gamer sentenced for stealing Steam passwords

A former University of Salford student has received an eight-month suspended sentence for harvesting details to play on the Steam platform, in a rare conviction under the Computer Misuse Act

A former University of Salford student has been given a suspended sentence for stealing online gaming credentials, in a rare conviction under anti-hacking laws.

Paul McLoughlin, 22, was given a sentence of eight months — suspended for 12 months — at Southwark Crown Court on Monday. The Liverpool man pleaded guilty in April to harvesting usernames and passwords from at least 100 people, according to the Metropolitan Police.

"A prosecution and conviction for this particular offence is rare," detective inspector Colin Wetherill of the Police Central eCrime Unit (PCeU) said in a statement on Tuesday.

McLoughlin was charged under section 3A of the Computer Misuse Act 1990, which forbids the adaptation of a program to gain unauthorised access to computers.

The University of Salford contacted the police after it received a complaint from a US resident regarding the theft of personal details. The police worked with the academic institution and with security company McAfee to gather evidence.

"The PCeU worked very closely with McAfee and acknowledge their contribution in gathering evidence that enabled an early arrest to be made and a successful conviction," said Wetherill.

The police asked McAfee to perform analysis on the malware, Alex Hinchliffe, a malware research manager in the security company's European division, told ZDNet UK.

Istealer software

McLoughlin wrapped password-stealing software called Istealer in various progams, including a game called Prototype, according to Hinchliffe. He also piggybacked the malware on programs promising to crack copyright protection on some gaming platforms.

The Istealer tool is a Trojan-creation kit with a wizard that let users select the particular types of password they want to steal. McLoughlin specified the details he wanted to grab, including passwords for the Steam online gaming platform, so he could play games logged in as another user and avoid payment.

McLoughlin also kept some of the default settings. These aimed to steal passwords for Google Talk, MSN IM and AIM. They also logged Firefox profiles and Internet Explorer intelliforms, which store personal details to allow the autofilling of web forms.

McLoughlin seeded the poisoned programs on different websites, including the RapidShare file-hosting site, Hinchliffe added.

Once people downloaded the programs, the Istealer program harvested usernames and passwords. The data was sent to an FTP server set up by McLoughlin to receive and manage the passwords, which he used to access 20 accounts.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Show Comments