MLB hacked by pirate site owner, attempted extortion for $150,000
posted Sunday Oct 31, 2021 by Scott Ertz
The past few years have seen everyone inundated with hacks, malware, and digital extortion. It hasn't mattered if you're an individual or an international megacorporation - everyone could come under fire from these tactics. This week, it was revealed that Major League Baseball (MLB) was the victim of hacking, as well as attempted extortion. But, the details are stranger than usual.
According to the Department of Justice,
JOSHUA STREIT, a/k/a "Josh Brody," was charged with conducting intrusions into Major League Baseball ("MLB") computer systems, and illegally streaming copyrighted content from MLB, the National Basketball Association ("NBA"), the National Football League ("NFL"), and the National Hockey League ("NHL"), in connection with a website STREIT operated that offered the illegally streamed content to the public for profit. In addition, STREIT is charged with extortion for attempting to extort approximately $150,000 from MLB. STREIT is expected to be presented today before a U.S. magistrate judge in the District of Minnesota.
The majority of this report is pretty common. We know that lots of individuals, organizations, and corporations have attempted to rebroadcast content over the internet, all without success. So, criminal charges filed against someone for trying again aren't all that surprising. FBI Assistant Director Michael Driscoll said,
We allege Mr. Brody hacked into the systems of several of our country's biggest professional sports leagues and illegally streamed copyrighted live games. Instead of quitting while he was ahead, he allegedly decided to continue the game by extorting one of the leagues, threatening to expose the very vulnerability he used to hack them.
What is surprising is that this seemingly small-time pirate thought that it was time for him to expand his personal empire by threatening a powerful corporation. And for such a small amount of money - $150k. The small amount was likely an attempt to stay under someone's discretionary spending, which for executives could be in that $200k range. But, it didn't work for a variety of reasons.
One of the primary reasons it failed was because the threat was to expose the method with which he had been stealing their content. But, of course, that alerts the company to the fact that there is an issue that can be exploited and therefore patched. So, this threat likely led, not only to the company not paying the extortion fee but also alerting them to a security issue that they could fix. So, not only would have lost out on the extortion, but he also loses his own ability to steal their content.
What's even better is the way in which Streit tried to get the MLB to pay him. He had reported the vulnerability to the league and then got offended when he was not offered any compensation for the information. He contacted an executive of the league, who informed him that there was no bug bounty program at the MLB, to which Steit responded, in his best 90s mob movie persona, Wouldn't it be a shame if the media found out about this vulnerability.
The executive again informed him there was no money available for him, but convinced him not to report it to the news. Streit once again said there should be money and, when asked how much he wanted, told the executive $150k - an amount FAR above normal bug bounty programs. All the while, Streit was charging $100 per year for access to the content he was stealing using the exact vulnerability he was reporting to the MLB.
This is an all around stupid attempt, for so many reasons. Reporting the exploit that you're using to charge money for stolen content, and demanding money from the organization AFTER the report. Seems like an easy, open and shut case.