Feeds

Six charged over StubHub e-ticket heist for Elton John gigs

Compromised passwords re-used, say prosecutors

Choosing a cloud hosting partner with confidence

Six suspected cybercriminals have been indicted over their alleged involvement in a hack attack on eBay-owned ticketing website StubHub.

Thieves got into more than 1,600 of StubHub customers' accounts and used their credit card details to fraudulently buy tickets for events through the online ticket reseller. The scam - reckoned to have cost the eBay subsidiary more than $1m in losses - was first detected in March 2013.

Around 3,500 tickets for gigs from the likes of Justin Timberlake, Elton John, as well as sports events and theatre plays were sold to these compromised accounts.

"After investigating the receipts and transaction records of more than 1,600 illegally accessed accounts, analysts in the DA’s Office were able to trace the exchanges to internet protocol addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by" the suspects, according to a statement by the office of Manhattan District Attorney Cyrus R. Vance, Jr.

More than 1,000 accounts were compromised by crooks who used pre-existing credit card information associated with compromised accounts to purchase tickets without the cardholders’ authorisation. Separately, stolen credit card details were used to facilitate additional fraud.

The suspects were indicted in the New York State Supreme Court on varying counts of money laundering, grand larceny,criminal possession of stolen property, and identity theft, among other charges.

The six defendants, and the charges they face, are summarised in a statement here.

Three of the men charged by the US are from Russia, while the others are US residents who are alleged to have acted as ticket touts (scalpers). Daniel Petryszyn, 28, of New York, NY, Laurence Brinkmeyer, 29, of Bergen County, N.J. and Bryan Caputo, 29 of Hudson County, N.J., are charged with reselling tickets. Vadim Polyakov, 30, and Nikolay Matveychuk, 21, each face money laundering and identity theft charges. Sergei Kirin, a 37-year-old Russian, faces money laundering charges.

The Royal Canadian Mounted Police, the City of London Police, the US Secret Service and the New York City Police Department worked together on the investigation.

In a statement, StubHub blamed the exposure of customer records on third-party breaches and malware rather than faults in its own systems.

In 2013, StubHub was alerted to a small number of accounts that had been illegally taken over by fraudsters. Since then, StubHub has been working in close collaboration with law enforcement agencies around the world to find those responsible and bring them to justice. Our investigation of these unauthorized transactions led to the case being opened by the New York City District Attorney's Office. This combined effort culminated with the arrests announced today.

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers' PC.

Victims' accounts were therefore most likely exposed because they made the mistake of sharing the same passwords with other sites that had been compromised through earlier database breaches, so not much of what could accurately be described as computer hacking actually took place.

Gavin Millard, technical director at security tools firm Tenable Network Security, commented: "It appears that hackers utilised credentials from other the large breaches, which have been occurring regularly as of late. This has allowed them to gain access to StubHub customer accounts, enabling them to make fraudulent purchases.

"Unfortunately, with many users having poor password practices, attacks like this are only likely to increase, and will continue to do so until we either see providers shift away from a simple username/password authentication process, or until users start to improve their password habits. It is of critical importance that users understand the risk of using a single password for everything, and should be either coming up with a recipe to create unique passwords, or to invest in a password management application to do the job for them," he added.

Additional comment on infosec lessons to be drawn from the case can be found in a blog post by Sophos' Naked Security team here.

"This is the second time this year that eBay's been hit," notes Naked Security's Lisa Vaas.

"In May, the company owned up to a password breach, though it wasn't too horrific: eBay said at the time that forensics didn't show any evidence of unauthorized access or compromise to personal or financial information for PayPal customers - PayPal being eBay's payment arm," Vaas added.

There have been multiple high profile password breaches of late. Cybercrooks have been known to use the Adobe breach, for example, in recorded cases, so it would be a big assumption to think that the StubHub fraud is linked to the earlier eBay breach. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.