MELAKA: A hacker is trying to cash in on the obsession with honorary titles by offering to unlawfully insert names into an official website that lists genuine recipients of such awards.
The website belongs to Bahagian Istiadat dan Urusetia Persidangan Antarabangsa (Biupa), a protocol unit under the Prime Minister’s Department.
Biupa is responsible for listing the recipients of federal and state honorary titles.
A 33-year-old car salesman who asked to be identified only as Sam said the hacker sent out a WhatsApp message offering his services in early November.
Sam said he was sceptical about the services offered by the hacker, who called himself “Zacky”.
The message told recipients to visit the Biupa website at www.istiadat.gov.my to check whether or not their names were listed there.
Those who wanted to be listed in the system were told to call the telephone number included with the message.
A service fee of between RM2,000 and RM5,000 is charged.
Those who called Zacky said he claimed that he was appointed to add the names of award recipients into the system.
Zacky is also said to offer another service in which he charges an exorbitant sum for those with dubious titles to get listed on the site.
However, The Star’s attempts to contact Zacky at the number provided went unanswered.
It is learnt that officials from Biupa found about 50 dubious names – people who were not recipients of any federal or state title – in the system in November and have rectified the listing so that the website now shows only actual recipients of awards.
Top officials from the unit also lodged two police reports at Putrajaya police headquarters between Nov 15 and 24 over the scam.
For the record, access to the website is only granted to Biupa officials and the hacker apparently managed to infiltrate a highly secure site where others had tried before and failed.
It is believed that Zacky used a common attack vector known as SQL injection to infiltrate the site. SQL injection uses malicious code to manipulate a database and access confidential information.
A successful SQL injection could also enable a hacker to gain administrative rights to a website.
MCA Public Services and Complaints Department head Datuk Seri Michael Chong said the hack was startling.
“If they got into a government website, it is very serious.
“The authorities should come down hard on the hacker to deter future incidents,” he said when contacted yesterday.
Chong, who is also an exco member of the Council of Federal Datuks Malaysia, added that fake titles were becoming rampant but the cases of which he is aware mostly involve fake identification cards and medals.
“Our (cyber) security should be increased.
“Those responsible for this should be charged under the Prevention of Crime Act,” he added.