Feeds

Six charged over StubHub e-ticket heist for Elton John gigs

Compromised passwords re-used, say prosecutors

Secure remote control for conventional and virtual desktops

Six suspected cybercriminals have been indicted over their alleged involvement in a hack attack on eBay-owned ticketing website StubHub.

Thieves got into more than 1,600 of StubHub customers' accounts and used their credit card details to fraudulently buy tickets for events through the online ticket reseller. The scam - reckoned to have cost the eBay subsidiary more than $1m in losses - was first detected in March 2013.

Around 3,500 tickets for gigs from the likes of Justin Timberlake, Elton John, as well as sports events and theatre plays were sold to these compromised accounts.

"After investigating the receipts and transaction records of more than 1,600 illegally accessed accounts, analysts in the DA’s Office were able to trace the exchanges to internet protocol addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by" the suspects, according to a statement by the office of Manhattan District Attorney Cyrus R. Vance, Jr.

More than 1,000 accounts were compromised by crooks who used pre-existing credit card information associated with compromised accounts to purchase tickets without the cardholders’ authorisation. Separately, stolen credit card details were used to facilitate additional fraud.

The suspects were indicted in the New York State Supreme Court on varying counts of money laundering, grand larceny,criminal possession of stolen property, and identity theft, among other charges.

The six defendants, and the charges they face, are summarised in a statement here.

Three of the men charged by the US are from Russia, while the others are US residents who are alleged to have acted as ticket touts (scalpers). Daniel Petryszyn, 28, of New York, NY, Laurence Brinkmeyer, 29, of Bergen County, N.J. and Bryan Caputo, 29 of Hudson County, N.J., are charged with reselling tickets. Vadim Polyakov, 30, and Nikolay Matveychuk, 21, each face money laundering and identity theft charges. Sergei Kirin, a 37-year-old Russian, faces money laundering charges.

The Royal Canadian Mounted Police, the City of London Police, the US Secret Service and the New York City Police Department worked together on the investigation.

In a statement, StubHub blamed the exposure of customer records on third-party breaches and malware rather than faults in its own systems.

In 2013, StubHub was alerted to a small number of accounts that had been illegally taken over by fraudsters. Since then, StubHub has been working in close collaboration with law enforcement agencies around the world to find those responsible and bring them to justice. Our investigation of these unauthorized transactions led to the case being opened by the New York City District Attorney's Office. This combined effort culminated with the arrests announced today.

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers' PC.

Victims' accounts were therefore most likely exposed because they made the mistake of sharing the same passwords with other sites that had been compromised through earlier database breaches, so not much of what could accurately be described as computer hacking actually took place.

Gavin Millard, technical director at security tools firm Tenable Network Security, commented: "It appears that hackers utilised credentials from other the large breaches, which have been occurring regularly as of late. This has allowed them to gain access to StubHub customer accounts, enabling them to make fraudulent purchases.

"Unfortunately, with many users having poor password practices, attacks like this are only likely to increase, and will continue to do so until we either see providers shift away from a simple username/password authentication process, or until users start to improve their password habits. It is of critical importance that users understand the risk of using a single password for everything, and should be either coming up with a recipe to create unique passwords, or to invest in a password management application to do the job for them," he added.

Additional comment on infosec lessons to be drawn from the case can be found in a blog post by Sophos' Naked Security team here.

"This is the second time this year that eBay's been hit," notes Naked Security's Lisa Vaas.

"In May, the company owned up to a password breach, though it wasn't too horrific: eBay said at the time that forensics didn't show any evidence of unauthorized access or compromise to personal or financial information for PayPal customers - PayPal being eBay's payment arm," Vaas added.

There have been multiple high profile password breaches of late. Cybercrooks have been known to use the Adobe breach, for example, in recorded cases, so it would be a big assumption to think that the StubHub fraud is linked to the earlier eBay breach. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.