Endpoint //


06:00 PM
Connect Directly

7 Arrested, 3 More Indicted For Roles In Cyber Fraud Ring That Stung StubHub

Arrests made in New York state, London, Toronto, and Spain for money laundering, grand larceny, and using StubHub customers' credit cards to buy and sell 3,500 e-tickets to prime events.

Shelling out hundreds and thousands to buy marked-up tickets to "sold-out" events from opportunistic re-resellers on StubHub is bad enough. Yet, to add insult to injury, an international cyber fraud ring used 1,600 StubHub customers' accounts to buy, then sell, roughly $1.6 million of e-tickets. Today, law enforcement in New York State, London, and Toronto announced that 10 individuals have been charged with crimes in association with this fraud ring; so far, seven of those have been arrested.

In May 2013 StubHub discovered that over 1,000 customer accounts had been used for fraudulent ticket purchases. The fraudsters had obtained login data from other sources -- either through malware on user endpoints or by compromising the databases of sites not associated with the ticket reseller, then trying those same usernames and passwords on StubHub. Being that many people reuse the same passwords from site to site, the fraudsters could log in to StubHub just like the legitimate customers.

In a statement, StubHub said:

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of keyloggers and/or other malware on the customers' PC.

Once they were in, the fraudsters first lifted credit card data stored in some users' accounts. Then, they used other StubHub customers' accounts to actually buy the e-tickets with the first group's credit cards. This method allowed them to circumvent some of StubHub's security.

More than 1,600 accounts were accessed in all and more than 3,500 e-tickets -- to high-demand events like Knicks games and Jay-Z and Justin Timberlake concerts -- were bought to be resold. The profits were then directed to multiple PayPal accounts and off-shore bank accounts in Germany and the United Kingdom. Some of the money was further wired to money launderers in London and Toronto. All told, they are estimated to have defrauded StubHub out of $1.6 million.

StubHub contacted all the customers whose accounts had been compromised, refunded their money, and contacted law enforcement.

Today, Manhattan District Attorney Cyrus R. Vance, Jr. announced the indictment by the New York State Supreme Court of six individuals associated with the attack. (Vance's office has confirmed that the estimated losses and number of arrests have changed since the announcement was made this afternoon.)

Two of these men were arrested today. Another was arrested earlier this month by Spanish authorities while traveling abroad.

In addition to those charged by New York State, three arrests were made by the City of London Police and one more arrest was made by the Royal Canadian Mounted Police. The names of the four individuals arrested in Canada and the UK have not yet been released.

As for those indicted in the US:

  • Vadim Polyakov, 30, of Russia and Nikolay Matveychuk, 21, of Russia are charged with using StubHub account information and stolen credit card numbers to buy e-tickets then sending them to a group of people in New York and New Jersey for resell. Polyakov was arrested July 3 in Spain.
  • Daniel Petryszyn, 28, of New York, Bryan Caputo, 29, of New Jersey, and Daniel Petryszyn, 28, of New York, are charged with reselling stolen tickets, then sending the criminal proceeds to PayPal accounts and bank accounts in Germany and the UK. Petryszyn and Caputo were arrested this afternoon.
  • Sergei Kirin, 37, of Russia, is charged with money laundering. He allegedly wired money to money launderers to London and Toronto.

"Cybercriminals know no boundaries," said District Attorney Vance in today's announcement. "They do not respect international borders or laws. Today's arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere. The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation."

City of London Police Commissioner Adrian Leppard said in today's announcement, "This represents a milestone in the working relationship we have developed with the New York County District Attorney’s Office to target what is truly international organized crime. This is an important investigation."

While law enforcement is bringing in the bad guys, security experts are quick to say that end users need to take responsibility for their own role in these crimes.

"Password reuse is the end-user's responsibility," said Andy Rappaport, chief architect of Core Security. "These customers are fortunate Stubhub reimbursed them. If you’re not already, start using a password manager."

"It looks like these attackers were able to get ahold of users’ credentials by accessing information exposed by other data breaches -- we’ve certainly seen plenty of those this year -- or from keyloggers or other malware on the account holders' computers," said John Prisco, President and CEO of Triumfant. "You’ve been told to spot and avoid social engineering attacks, but that’s easier said than done. ... Of course, if StubHub’s login process required two-factor authentication, it would be significantly more difficult for an attacker to take over your account."

"This attack highlights that the weakest point in security is not through servers but rather through consumers," said Richard Westmoreland, lead security analyst of SilverSky. "Best practices suggest people should use unique passwords for every account -- but in reality this is difficult to manage when it is common to have dozens of accounts. 'New' best practices should include the use of varying passphrases that are easy to remember for each site, such as 'I like t0ast at facebook,' 'I like t0ast at twitter,' etc., or using a reputable password manager such as 1Password or Lastpass."

"When someone reuses a password across multiple sites, it is only as strong as the weakest link," said Phillip Dunkelberger, CEO of NNL. "By using the same password to access your local pizza delivery account as you use to access your bank account, or in this case your Stubhub account, you can have serious implications for financial or other sensitive data."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/25/2014 | 8:36:24 AM
Re: Alternate Method
Never thought of it like that. That does make sense to a certain extent. However, I think a password vault with algorithmic password generation may be the safest method because if you choose passwords that support life experiences it makes you more vulnerable to social engineering and dictionary attacks. I feel like every methodology has one flaw or another though.
User Rank: Apprentice
7/24/2014 | 6:16:56 PM
Re: Alternate Method
A good method to follow is to create an alogorithm of your own.

Before that make a conscious decision to categorize he sites into two categories - those requiring financial information and those who dont. Have one set of passwords for sites needing credit card information and another set (can be all same) for other sites who dont.

Passwords are easy to remember as long as they are connected to an event in your life. With event date and place combo as password algorithm, it serves two purposes. It will help you to recall events with correct factual information and then help you to remember the password to be used for the site making it extremely difficult for the hackers to guess your password combos or algorithms. 

Same principle can be used for the userrnames unless the site forces you to use your email id as a login. 
User Rank: Ninja
7/24/2014 | 1:50:46 PM
Alternate Method
It is never a good idea to keep the same passwords but then there is an issue with people remembering mutliple complex passwords. The same ideology for creating DNS (people can't remember all those numeric addresses) is the same reason people are using the same password. Its difficult to manage many logins with different password complexities.

There are alternate methods such as passwords vaults and SSO that can help with secure password management. Does anyone know of another way to easily yet securely manage your passwords?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.