Endpoint //


06:00 PM
Connect Directly

7 Arrested, 3 More Indicted For Roles In Cyber Fraud Ring That Stung StubHub

Arrests made in New York state, London, Toronto, and Spain for money laundering, grand larceny, and using StubHub customers' credit cards to buy and sell 3,500 e-tickets to prime events.

Shelling out hundreds and thousands to buy marked-up tickets to "sold-out" events from opportunistic re-resellers on StubHub is bad enough. Yet, to add insult to injury, an international cyber fraud ring used 1,600 StubHub customers' accounts to buy, then sell, roughly $1.6 million of e-tickets. Today, law enforcement in New York State, London, and Toronto announced that 10 individuals have been charged with crimes in association with this fraud ring; so far, seven of those have been arrested.

In May 2013 StubHub discovered that over 1,000 customer accounts had been used for fraudulent ticket purchases. The fraudsters had obtained login data from other sources -- either through malware on user endpoints or by compromising the databases of sites not associated with the ticket reseller, then trying those same usernames and passwords on StubHub. Being that many people reuse the same passwords from site to site, the fraudsters could log in to StubHub just like the legitimate customers.

In a statement, StubHub said:

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of keyloggers and/or other malware on the customers' PC.

Once they were in, the fraudsters first lifted credit card data stored in some users' accounts. Then, they used other StubHub customers' accounts to actually buy the e-tickets with the first group's credit cards. This method allowed them to circumvent some of StubHub's security.

More than 1,600 accounts were accessed in all and more than 3,500 e-tickets -- to high-demand events like Knicks games and Jay-Z and Justin Timberlake concerts -- were bought to be resold. The profits were then directed to multiple PayPal accounts and off-shore bank accounts in Germany and the United Kingdom. Some of the money was further wired to money launderers in London and Toronto. All told, they are estimated to have defrauded StubHub out of $1.6 million.

StubHub contacted all the customers whose accounts had been compromised, refunded their money, and contacted law enforcement.

Today, Manhattan District Attorney Cyrus R. Vance, Jr. announced the indictment by the New York State Supreme Court of six individuals associated with the attack. (Vance's office has confirmed that the estimated losses and number of arrests have changed since the announcement was made this afternoon.)

Two of these men were arrested today. Another was arrested earlier this month by Spanish authorities while traveling abroad.

In addition to those charged by New York State, three arrests were made by the City of London Police and one more arrest was made by the Royal Canadian Mounted Police. The names of the four individuals arrested in Canada and the UK have not yet been released.

As for those indicted in the US:

  • Vadim Polyakov, 30, of Russia and Nikolay Matveychuk, 21, of Russia are charged with using StubHub account information and stolen credit card numbers to buy e-tickets then sending them to a group of people in New York and New Jersey for resell. Polyakov was arrested July 3 in Spain.
  • Daniel Petryszyn, 28, of New York, Bryan Caputo, 29, of New Jersey, and Daniel Petryszyn, 28, of New York, are charged with reselling stolen tickets, then sending the criminal proceeds to PayPal accounts and bank accounts in Germany and the UK. Petryszyn and Caputo were arrested this afternoon.
  • Sergei Kirin, 37, of Russia, is charged with money laundering. He allegedly wired money to money launderers to London and Toronto.

"Cybercriminals know no boundaries," said District Attorney Vance in today's announcement. "They do not respect international borders or laws. Today's arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere. The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation."

City of London Police Commissioner Adrian Leppard said in today's announcement, "This represents a milestone in the working relationship we have developed with the New York County District Attorney’s Office to target what is truly international organized crime. This is an important investigation."

While law enforcement is bringing in the bad guys, security experts are quick to say that end users need to take responsibility for their own role in these crimes.

"Password reuse is the end-user's responsibility," said Andy Rappaport, chief architect of Core Security. "These customers are fortunate Stubhub reimbursed them. If you’re not already, start using a password manager."

"It looks like these attackers were able to get ahold of users’ credentials by accessing information exposed by other data breaches -- we’ve certainly seen plenty of those this year -- or from keyloggers or other malware on the account holders' computers," said John Prisco, President and CEO of Triumfant. "You’ve been told to spot and avoid social engineering attacks, but that’s easier said than done. ... Of course, if StubHub’s login process required two-factor authentication, it would be significantly more difficult for an attacker to take over your account."

"This attack highlights that the weakest point in security is not through servers but rather through consumers," said Richard Westmoreland, lead security analyst of SilverSky. "Best practices suggest people should use unique passwords for every account -- but in reality this is difficult to manage when it is common to have dozens of accounts. 'New' best practices should include the use of varying passphrases that are easy to remember for each site, such as 'I like t0ast at facebook,' 'I like t0ast at twitter,' etc., or using a reputable password manager such as 1Password or Lastpass."

"When someone reuses a password across multiple sites, it is only as strong as the weakest link," said Phillip Dunkelberger, CEO of NNL. "By using the same password to access your local pizza delivery account as you use to access your bank account, or in this case your Stubhub account, you can have serious implications for financial or other sensitive data."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/25/2014 | 8:36:24 AM
Re: Alternate Method
Never thought of it like that. That does make sense to a certain extent. However, I think a password vault with algorithmic password generation may be the safest method because if you choose passwords that support life experiences it makes you more vulnerable to social engineering and dictionary attacks. I feel like every methodology has one flaw or another though.
User Rank: Apprentice
7/24/2014 | 6:16:56 PM
Re: Alternate Method
A good method to follow is to create an alogorithm of your own.

Before that make a conscious decision to categorize he sites into two categories - those requiring financial information and those who dont. Have one set of passwords for sites needing credit card information and another set (can be all same) for other sites who dont.

Passwords are easy to remember as long as they are connected to an event in your life. With event date and place combo as password algorithm, it serves two purposes. It will help you to recall events with correct factual information and then help you to remember the password to be used for the site making it extremely difficult for the hackers to guess your password combos or algorithms. 

Same principle can be used for the userrnames unless the site forces you to use your email id as a login. 
User Rank: Ninja
7/24/2014 | 1:50:46 PM
Alternate Method
It is never a good idea to keep the same passwords but then there is an issue with people remembering mutliple complex passwords. The same ideology for creating DNS (people can't remember all those numeric addresses) is the same reason people are using the same password. Its difficult to manage many logins with different password complexities.

There are alternate methods such as passwords vaults and SSO that can help with secure password management. Does anyone know of another way to easily yet securely manage your passwords?
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.