Six charged over StubHub e-ticket heist for Elton John gigs

Compromised passwords re-used, say prosecutors

Concert tickets Creative Commons licence by flickr user NZ Hamstar

Six suspected cybercriminals have been indicted over their alleged involvement in a hack attack on eBay-owned ticketing website StubHub.

Thieves got into more than 1,600 of StubHub customers' accounts and used their credit card details to fraudulently buy tickets for events through the online ticket reseller. The scam - reckoned to have cost the eBay subsidiary more than $1m in losses - was first detected in March 2013.

Around 3,500 tickets for gigs from the likes of Justin Timberlake, Elton John, as well as sports events and theatre plays were sold to these compromised accounts.

"After investigating the receipts and transaction records of more than 1,600 illegally accessed accounts, analysts in the DA’s Office were able to trace the exchanges to internet protocol addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by" the suspects, according to a statement by the office of Manhattan District Attorney Cyrus R. Vance, Jr.

More than 1,000 accounts were compromised by crooks who used pre-existing credit card information associated with compromised accounts to purchase tickets without the cardholders’ authorisation. Separately, stolen credit card details were used to facilitate additional fraud.

The suspects were indicted in the New York State Supreme Court on varying counts of money laundering, grand larceny,criminal possession of stolen property, and identity theft, among other charges.

The six defendants, and the charges they face, are summarised in a statement here.

Three of the men charged by the US are from Russia, while the others are US residents who are alleged to have acted as ticket touts (scalpers). Daniel Petryszyn, 28, of New York, NY, Laurence Brinkmeyer, 29, of Bergen County, N.J. and Bryan Caputo, 29 of Hudson County, N.J., are charged with reselling tickets. Vadim Polyakov, 30, and Nikolay Matveychuk, 21, each face money laundering and identity theft charges. Sergei Kirin, a 37-year-old Russian, faces money laundering charges.

The Royal Canadian Mounted Police, the City of London Police, the US Secret Service and the New York City Police Department worked together on the investigation.

In a statement, StubHub blamed the exposure of customer records on third-party breaches and malware rather than faults in its own systems.

In 2013, StubHub was alerted to a small number of accounts that had been illegally taken over by fraudsters. Since then, StubHub has been working in close collaboration with law enforcement agencies around the world to find those responsible and bring them to justice. Our investigation of these unauthorized transactions led to the case being opened by the New York City District Attorney's Office. This combined effort culminated with the arrests announced today.

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers' PC.

Victims' accounts were therefore most likely exposed because they made the mistake of sharing the same passwords with other sites that had been compromised through earlier database breaches, so not much of what could accurately be described as computer hacking actually took place.

Gavin Millard, technical director at security tools firm Tenable Network Security, commented: "It appears that hackers utilised credentials from other the large breaches, which have been occurring regularly as of late. This has allowed them to gain access to StubHub customer accounts, enabling them to make fraudulent purchases.

"Unfortunately, with many users having poor password practices, attacks like this are only likely to increase, and will continue to do so until we either see providers shift away from a simple username/password authentication process, or until users start to improve their password habits. It is of critical importance that users understand the risk of using a single password for everything, and should be either coming up with a recipe to create unique passwords, or to invest in a password management application to do the job for them," he added.

Additional comment on infosec lessons to be drawn from the case can be found in a blog post by Sophos' Naked Security team here.

"This is the second time this year that eBay's been hit," notes Naked Security's Lisa Vaas.

"In May, the company owned up to a password breach, though it wasn't too horrific: eBay said at the time that forensics didn't show any evidence of unauthorized access or compromise to personal or financial information for PayPal customers - PayPal being eBay's payment arm," Vaas added.

There have been multiple high profile password breaches of late. Cybercrooks have been known to use the Adobe breach, for example, in recorded cases, so it would be a big assumption to think that the StubHub fraud is linked to the earlier eBay breach. ®

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018