Cybercrime , Fraud Management & Cybercrime

Aussie InfoSec Researcher to Be Sentenced

Police Charged Researcher With Network Intrusion
Aussie InfoSec Researcher to Be Sentenced
Photo: GoGet

An Australian computer security researcher will be sentenced May 1 after pleading guilty to several charges related to unauthorized intrusions into the network of GoGet, a vehicle sharing service.

See Also: Ransomware Demystified: What Security Analysts Need to Know

Nikola Cubrilovic of Penrose was charged in January 2018 with gaining unauthorized access to GoGet's network and parlaying the access to use GoGet vehicles without consent more than 30 times between May and July 2017.

GoGet runs a fleet of 3,000 vehicles across five Australian cities that customers can rent by the hour or day.

Computerworld reports Cubrilovic faced 39 charges, but the majority of the charges have been dismissed. Cubrilovic, who is free on bail, pleaded guilty earlier this month to four charges of taking a vehicle without consent, one charge of dealing with identity information and one charge of obtaining a financial advantage. He was originally due to face trial this week.

Efforts to reach Cubrilovic via Twitter and LinkedIn were unsuccessful. A GoGet spokesman says the company has no comment.

Known Bug Hunter

Cubrilovic was known within the Australian computer security community and had received media attention for his research.

In 2015, he discovered cross-site scripting vulnerabilities within the government's myGov site, which lets people file their taxes and access a variety of other support services and benefits. According to The Age, Cubrilovic found he could use the flaws to hijack anyone's myGov account.

"With the assistance of company staff, investigators identified that unauthorized access was gained into the company's fleet booking system and customer identification information from the database was downloaded."
—NSW State Crime Command Cybercrime Squad

He was fairly prolific on Twitter until about a year before his arrest at his home in Penrose in January 2018. Police seized computers, laptops and storage devices.

Detectives with the New South Wales State Crime Command's Cybercrime Squad began investigating the GoGet situation around July 2017. The squad formed a task force, called Strike Force Artsy, to investigate unauthorized access into the administrative sections of GoGet's website.

Police said at the time that GoGet quickly approached police when it noticed irregularities, which aided in the investigation.

"With the assistance of company staff, investigators identified that unauthorized access was gained into the company's fleet booking system and customer identification information from the database was downloaded," according to a police news release on Jan. 31, 2018.

Police: Payment Cards Accessed

Security research can be a legally dicey area, and it's not unheard of for researchers to get into tangles. Companies have occasionally accused researchers of hacking and contacted law enforcement, but the situations are usually resolved without charges once the air clears.

But Cubrilovic's case did not appear to be one of misinterpreted but well-intended research.

Initially, he was charged with 33 counts related to using GoGet vehicles without consent, two counts of unauthorized access and "modification, or impairment with intent to commit serious indictable offense," police say.

Police say it didn't appear that some of accessed customer information, which included a "small number" of payment card details, had been fraudulently used or distributed.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.