Endpoint // Authentication
7/23/2014
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

7 Arrested, 3 More Indicted For Roles In Cyber Fraud Ring That Stung StubHub

Arrests made in New York state, London, Toronto, and Spain for money laundering, grand larceny, and using StubHub customers' credit cards to buy and sell 3,500 e-tickets to prime events.

Shelling out hundreds and thousands to buy marked-up tickets to "sold-out" events from opportunistic re-resellers on StubHub is bad enough. Yet, to add insult to injury, an international cyber fraud ring used 1,600 StubHub customers' accounts to buy, then sell, roughly $1.6 million of e-tickets. Today, law enforcement in New York State, London, and Toronto announced that 10 individuals have been charged with crimes in association with this fraud ring; so far, seven of those have been arrested.

In May 2013 StubHub discovered that over 1,000 customer accounts had been used for fraudulent ticket purchases. The fraudsters had obtained login data from other sources -- either through malware on user endpoints or by compromising the databases of sites not associated with the ticket reseller, then trying those same usernames and passwords on StubHub. Being that many people reuse the same passwords from site to site, the fraudsters could log in to StubHub just like the legitimate customers.

In a statement, StubHub said:

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of keyloggers and/or other malware on the customers' PC.

Once they were in, the fraudsters first lifted credit card data stored in some users' accounts. Then, they used other StubHub customers' accounts to actually buy the e-tickets with the first group's credit cards. This method allowed them to circumvent some of StubHub's security.

More than 1,600 accounts were accessed in all and more than 3,500 e-tickets -- to high-demand events like Knicks games and Jay-Z and Justin Timberlake concerts -- were bought to be resold. The profits were then directed to multiple PayPal accounts and off-shore bank accounts in Germany and the United Kingdom. Some of the money was further wired to money launderers in London and Toronto. All told, they are estimated to have defrauded StubHub out of $1.6 million.

StubHub contacted all the customers whose accounts had been compromised, refunded their money, and contacted law enforcement.

Today, Manhattan District Attorney Cyrus R. Vance, Jr. announced the indictment by the New York State Supreme Court of six individuals associated with the attack. (Vance's office has confirmed that the estimated losses and number of arrests have changed since the announcement was made this afternoon.)

Two of these men were arrested today. Another was arrested earlier this month by Spanish authorities while traveling abroad.

In addition to those charged by New York State, three arrests were made by the City of London Police and one more arrest was made by the Royal Canadian Mounted Police. The names of the four individuals arrested in Canada and the UK have not yet been released.

As for those indicted in the US:

  • Vadim Polyakov, 30, of Russia and Nikolay Matveychuk, 21, of Russia are charged with using StubHub account information and stolen credit card numbers to buy e-tickets then sending them to a group of people in New York and New Jersey for resell. Polyakov was arrested July 3 in Spain.
  • Daniel Petryszyn, 28, of New York, Bryan Caputo, 29, of New Jersey, and Daniel Petryszyn, 28, of New York, are charged with reselling stolen tickets, then sending the criminal proceeds to PayPal accounts and bank accounts in Germany and the UK. Petryszyn and Caputo were arrested this afternoon.
  • Sergei Kirin, 37, of Russia, is charged with money laundering. He allegedly wired money to money launderers to London and Toronto.

"Cybercriminals know no boundaries," said District Attorney Vance in today's announcement. "They do not respect international borders or laws. Today's arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere. The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation."

City of London Police Commissioner Adrian Leppard said in today's announcement, "This represents a milestone in the working relationship we have developed with the New York County District Attorney’s Office to target what is truly international organized crime. This is an important investigation."

While law enforcement is bringing in the bad guys, security experts are quick to say that end users need to take responsibility for their own role in these crimes.

"Password reuse is the end-user's responsibility," said Andy Rappaport, chief architect of Core Security. "These customers are fortunate Stubhub reimbursed them. If you’re not already, start using a password manager."

"It looks like these attackers were able to get ahold of users’ credentials by accessing information exposed by other data breaches -- we’ve certainly seen plenty of those this year -- or from keyloggers or other malware on the account holders' computers," said John Prisco, President and CEO of Triumfant. "You’ve been told to spot and avoid social engineering attacks, but that’s easier said than done. ... Of course, if StubHub’s login process required two-factor authentication, it would be significantly more difficult for an attacker to take over your account."

"This attack highlights that the weakest point in security is not through servers but rather through consumers," said Richard Westmoreland, lead security analyst of SilverSky. "Best practices suggest people should use unique passwords for every account -- but in reality this is difficult to manage when it is common to have dozens of accounts. 'New' best practices should include the use of varying passphrases that are easy to remember for each site, such as 'I like t0ast at facebook,' 'I like t0ast at twitter,' etc., or using a reputable password manager such as 1Password or Lastpass."

"When someone reuses a password across multiple sites, it is only as strong as the weakest link," said Phillip Dunkelberger, CEO of NNL. "By using the same password to access your local pizza delivery account as you use to access your bank account, or in this case your Stubhub account, you can have serious implications for financial or other sensitive data."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/25/2014 | 8:36:24 AM
Re: Alternate Method
Never thought of it like that. That does make sense to a certain extent. However, I think a password vault with algorithmic password generation may be the safest method because if you choose passwords that support life experiences it makes you more vulnerable to social engineering and dictionary attacks. I feel like every methodology has one flaw or another though.
ANON1236140045027
50%
50%
ANON1236140045027,
User Rank: Apprentice
7/24/2014 | 6:16:56 PM
Re: Alternate Method
A good method to follow is to create an alogorithm of your own.

Before that make a conscious decision to categorize he sites into two categories - those requiring financial information and those who dont. Have one set of passwords for sites needing credit card information and another set (can be all same) for other sites who dont.

Passwords are easy to remember as long as they are connected to an event in your life. With event date and place combo as password algorithm, it serves two purposes. It will help you to recall events with correct factual information and then help you to remember the password to be used for the site making it extremely difficult for the hackers to guess your password combos or algorithms. 

Same principle can be used for the userrnames unless the site forces you to use your email id as a login. 
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
7/24/2014 | 1:50:46 PM
Alternate Method
It is never a good idea to keep the same passwords but then there is an issue with people remembering mutliple complex passwords. The same ideology for creating DNS (people can't remember all those numeric addresses) is the same reason people are using the same password. Its difficult to manage many logins with different password complexities.

There are alternate methods such as passwords vaults and SSO that can help with secure password management. Does anyone know of another way to easily yet securely manage your passwords?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.