Up next in 10
A cyber correspondent was offered money by criminals to help them hack into the BBC. They wanted his login password and security codes. It became unsettling when they tried to force his hand. #cybercrime #hackers #BBC #security #technology
Show More Show Less View Video Transcript
0:00
The BBC cyber correspondent Joe Tidy was
0:03
recently approached by criminals
0:04
offering him money to help hack the
0:06
corporation. He was offered a 15% cut of
0:10
any ransom payment if he agreed to
0:12
cooperate. Well, Joe played along with
0:14
them for a couple of days before things
0:16
turned ugly and Joe is here with us now.
0:18
How did this start?
0:20
Well, I sometimes speak to these cyber
0:21
crime gangs. Sometimes I reach out to
0:23
them. Sometimes they talk to me for
0:24
stories and for research. But this was
0:26
an unsolicited message I got on Signal,
0:28
the encrypted app. And they said, as you
0:30
say, 15% give us your login password and
0:33
security codes. And we'll get into the
0:34
BBC. And the plan was that they would
0:36
break into the BEB and then either steal
0:38
lots of private data or they would
0:40
encrypt the servers of the BBC and then
0:42
demand a ransom payment. We see it all
0:44
the time. This is how the ecosystem
0:46
works. They estimated they would get
0:48
tens of millions of pounds worth of
0:49
ransom if the BBC paid, which I doubt
0:52
they would, but if they did, um, and I
0:54
would get 15%. They actually up the
0:55
offer to 25% at one stage. So, I spoke
0:58
to senior editors here and I decided to
0:59
sort of play along because this is
1:01
really a firsthand insight into this
1:03
part of the cyber crime world that we
1:05
don't really know much about. It's
1:06
called the the insider threat and it
1:08
does happen. People make deals with
1:09
hackers sometimes. You don't really hear
1:11
about it, but it does happen. So, I
1:12
wanted to play along and see what
1:13
happened. And in the end, I I sort of
1:15
said to them, well, how do I know that
1:16
you're real? How do I know you're not
1:17
trying to entrap me or scam me? And they
1:19
they agreed to put half a bitcoin in
1:21
some sort of deposit system for me,
1:23
which is $55,000 worth. So, how long did
1:26
it take before it became unpleasant?
1:28
I was talking to them about three days
1:30
and it went into sort of Sunday
1:31
afternoon and they wanted me to run a
1:33
piece of code on my laptop to start the
1:35
planning for their hack. You know, what
1:36
kind of IT access do I have? I don't
1:38
have much IT access as a reporter, but
1:40
they didn't know that. So, I thought
1:41
sort of tried to stall them for time.
1:43
They ran out of patience and they
1:45
started uh effectively trying to force
1:47
my hand. So they carried out what we
1:48
call an MFA bomb, a multiffactor
1:50
authentication bomb where they
1:52
repeatedly try and password reset my
1:54
account and I had that my phone was
1:55
unusable for a couple of hours because
1:57
it's just every minute I was getting
1:58
these requests coming in and if I'd have
2:00
pressed accept, they'd have been in. I
2:03
was in control the whole time, but it
2:05
was unsettling.
2:06
It must have been immensely unsettling.
2:07
I mean, you've sort of alluded to why a
2:09
BBC login would be uh of appeal to them.
2:12
It's about money.
2:14
It's about money. And also it's really
2:15
important to remember that cyber
2:16
criminals are lazy. So they will find
2:18
the easiest way into an organization
2:20
that they can. Sometimes that is by
2:22
going on a forum and finding a access
2:24
broker who has a password and you know
2:26
username for a certain organization. And
2:28
sometimes it is and I think this is rare
2:30
but sometimes we do hear about them
2:31
going directly to employees to try and
2:33
let them give them the foothold into an
2:35
organization.
2:36
I'm pleased to say that you fully
2:37
embodied the BBC values in your approach
2:39
to this Joe. Um and the director general
2:41
would be especially glad. Um but it is
2:44
the serious message is here is that that
2:45
we are all potentially vulnerable.
2:47
Yeah. And I think the the most sort of
2:49
interesting thing for me carrying out
2:51
this kind of experiment was just to see
2:53
how persuasive and aggressive these
2:55
cyber criminals are. And I thought to
2:56
myself if I was a disgruntled employee
2:59
or if I was hard up for cash, it would
3:01
be a potentially lucrative and pleasing
3:04
offer to to to get. And only a few days
3:07
before I got this message, there was a
3:09
story out of Brazil that someone had
3:10
done this. They'd sold their username
3:12
and password to some cyber criminals
3:14
which led to apparently about hund00
3:16
million worth of damage to the bank that
3:18
was that was hacked.
3:19
And was the person who shared the
3:20
information found arrested? Yeah,
3:24
there you go. That's why you did the
3:25
right thing. Joe, thank you very much.
3:27
Fascinating and alarming. Thank you very
3:29
much, Joe. izing.
#Hacking & Cracking
#News
#Technology News