Are You Being Sold Out by Your Own People?

The BBC World Service reported that their cyber correspondent was offered a deal by criminals to help hack the BBC. He reported that they messaged him, "If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC." Here’s his story and our advice on how you can reduce your risk when criminals reach out to your staff.

By Elleni Duncan

Elleni Duncan is an analyst, researcher and oversees TMC benchmarking studies.

The Offer

Joe Tidy said, “That was the message I received out of the blue from someone called Syndicate who pinged me in July on the encrypted chat app Signal. I was being offered a portion of a potentially large amount of money if I helped cyber criminals access BBC systems through my laptop.”

The offer came from Medusa, a ransomware-as-a-service (RaaS) operation that emerged in 2021. Medusa is known to employ a double extortion strategy, where it encrypts victim data and threatens to release sensitive information if the ransom is not paid.

The Negotiation

Joe replied that he was potentially interested but needed to know how it would work. He was told to give them his login details and security code then wait for his money. While he delayed, they upped their offer to 25% on an intended demand of tens of millions of dollars.

He asked them to prove that they weren’t just kids or someone trying to entrap him. They replied with a link to Medusa's darknet address and invited him to contact them through the group's Tox - a secure messaging service.

They also sent a link to Medusa's recruitment page where he could start the process of accessing 0.5 bitcoin, about $55,000. This was their guarantee that he would receive this much money at a minimum.

After no immediate action on his part, they sent a string of computer code with instructions to run it as a command on his work laptop.

The Attack

He delayed and delayed so they ran out of patience. They began MFA bombing his phone, sending pop ups which filled the screen with "Authenticator - confirm BBC login request" every minute.

Joe was too cautious to open up his chat app for fear of accidentally clicking accept. That would have given the criminals immediate access to his BBC account without raising flags with IT security as it would have looked like a standard password reset request. He reached out to the IT security team who disabled all of his privileges – no access to BBC files and no email. He then stopped responding to the criminals.

What if This Happens at Your Workplace?

As the criminals told Joe, there is no shortage of people that will jump at an offer like theirs. We recommend that, as part of your cybersecurity education program, you add information about this risk. It’s important for staff to know that criminals won’t deliver what they promise so there will be no great riches and that their employers will prosecute them with the aim of sending them to jail.

As a first step, feel free to share this article with all employees and contractors.

If you’d like to discuss how TMC can help you reduce the risk of employee caused cyber security breaches that you face, or to comment on this article, please email me at elleni.