Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


06:00 PM
Connect Directly

7 Arrested, 3 More Indicted For Roles In Cyber Fraud Ring That Stung StubHub

Arrests made in New York state, London, Toronto, and Spain for money laundering, grand larceny, and using StubHub customers' credit cards to buy and sell 3,500 e-tickets to prime events.

Shelling out hundreds and thousands to buy marked-up tickets to "sold-out" events from opportunistic re-resellers on StubHub is bad enough. Yet, to add insult to injury, an international cyber fraud ring used 1,600 StubHub customers' accounts to buy, then sell, roughly $1.6 million of e-tickets. Today, law enforcement in New York State, London, and Toronto announced that 10 individuals have been charged with crimes in association with this fraud ring; so far, seven of those have been arrested.

In May 2013 StubHub discovered that over 1,000 customer accounts had been used for fraudulent ticket purchases. The fraudsters had obtained login data from other sources -- either through malware on user endpoints or by compromising the databases of sites not associated with the ticket reseller, then trying those same usernames and passwords on StubHub. Being that many people reuse the same passwords from site to site, the fraudsters could log in to StubHub just like the legitimate customers.

In a statement, StubHub said:

It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of keyloggers and/or other malware on the customers' PC.

Once they were in, the fraudsters first lifted credit card data stored in some users' accounts. Then, they used other StubHub customers' accounts to actually buy the e-tickets with the first group's credit cards. This method allowed them to circumvent some of StubHub's security.

More than 1,600 accounts were accessed in all and more than 3,500 e-tickets -- to high-demand events like Knicks games and Jay-Z and Justin Timberlake concerts -- were bought to be resold. The profits were then directed to multiple PayPal accounts and off-shore bank accounts in Germany and the United Kingdom. Some of the money was further wired to money launderers in London and Toronto. All told, they are estimated to have defrauded StubHub out of $1.6 million.

StubHub contacted all the customers whose accounts had been compromised, refunded their money, and contacted law enforcement.

Today, Manhattan District Attorney Cyrus R. Vance, Jr. announced the indictment by the New York State Supreme Court of six individuals associated with the attack. (Vance's office has confirmed that the estimated losses and number of arrests have changed since the announcement was made this afternoon.)

Two of these men were arrested today. Another was arrested earlier this month by Spanish authorities while traveling abroad.

In addition to those charged by New York State, three arrests were made by the City of London Police and one more arrest was made by the Royal Canadian Mounted Police. The names of the four individuals arrested in Canada and the UK have not yet been released.

As for those indicted in the US:

  • Vadim Polyakov, 30, of Russia and Nikolay Matveychuk, 21, of Russia are charged with using StubHub account information and stolen credit card numbers to buy e-tickets then sending them to a group of people in New York and New Jersey for resell. Polyakov was arrested July 3 in Spain.
  • Daniel Petryszyn, 28, of New York, Bryan Caputo, 29, of New Jersey, and Daniel Petryszyn, 28, of New York, are charged with reselling stolen tickets, then sending the criminal proceeds to PayPal accounts and bank accounts in Germany and the UK. Petryszyn and Caputo were arrested this afternoon.
  • Sergei Kirin, 37, of Russia, is charged with money laundering. He allegedly wired money to money launderers to London and Toronto.

"Cybercriminals know no boundaries," said District Attorney Vance in today's announcement. "They do not respect international borders or laws. Today's arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere. The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation."

City of London Police Commissioner Adrian Leppard said in today's announcement, "This represents a milestone in the working relationship we have developed with the New York County District Attorney’s Office to target what is truly international organized crime. This is an important investigation."

While law enforcement is bringing in the bad guys, security experts are quick to say that end users need to take responsibility for their own role in these crimes.

"Password reuse is the end-user's responsibility," said Andy Rappaport, chief architect of Core Security. "These customers are fortunate Stubhub reimbursed them. If you’re not already, start using a password manager."

"It looks like these attackers were able to get ahold of users’ credentials by accessing information exposed by other data breaches -- we’ve certainly seen plenty of those this year -- or from keyloggers or other malware on the account holders' computers," said John Prisco, President and CEO of Triumfant. "You’ve been told to spot and avoid social engineering attacks, but that’s easier said than done. ... Of course, if StubHub’s login process required two-factor authentication, it would be significantly more difficult for an attacker to take over your account."

"This attack highlights that the weakest point in security is not through servers but rather through consumers," said Richard Westmoreland, lead security analyst of SilverSky. "Best practices suggest people should use unique passwords for every account -- but in reality this is difficult to manage when it is common to have dozens of accounts. 'New' best practices should include the use of varying passphrases that are easy to remember for each site, such as 'I like t0ast at facebook,' 'I like t0ast at twitter,' etc., or using a reputable password manager such as 1Password or Lastpass."

"When someone reuses a password across multiple sites, it is only as strong as the weakest link," said Phillip Dunkelberger, CEO of NNL. "By using the same password to access your local pizza delivery account as you use to access your bank account, or in this case your Stubhub account, you can have serious implications for financial or other sensitive data."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/25/2014 | 8:36:24 AM
Re: Alternate Method
Never thought of it like that. That does make sense to a certain extent. However, I think a password vault with algorithmic password generation may be the safest method because if you choose passwords that support life experiences it makes you more vulnerable to social engineering and dictionary attacks. I feel like every methodology has one flaw or another though.
User Rank: Apprentice
7/24/2014 | 6:16:56 PM
Re: Alternate Method
A good method to follow is to create an alogorithm of your own.

Before that make a conscious decision to categorize he sites into two categories - those requiring financial information and those who dont. Have one set of passwords for sites needing credit card information and another set (can be all same) for other sites who dont.

Passwords are easy to remember as long as they are connected to an event in your life. With event date and place combo as password algorithm, it serves two purposes. It will help you to recall events with correct factual information and then help you to remember the password to be used for the site making it extremely difficult for the hackers to guess your password combos or algorithms. 

Same principle can be used for the userrnames unless the site forces you to use your email id as a login. 
User Rank: Ninja
7/24/2014 | 1:50:46 PM
Alternate Method
It is never a good idea to keep the same passwords but then there is an issue with people remembering mutliple complex passwords. The same ideology for creating DNS (people can't remember all those numeric addresses) is the same reason people are using the same password. Its difficult to manage many logins with different password complexities.

There are alternate methods such as passwords vaults and SSO that can help with secure password management. Does anyone know of another way to easily yet securely manage your passwords?
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-27
WeBid 1.2.2 admin/newuser.php has an issue with password rechecking during registration because it uses a loose comparison to check the identicalness of two passwords. Two non-identical passwords can still bypass the check.
PUBLISHED: 2021-01-27
oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php
PUBLISHED: 2021-01-27
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
PUBLISHED: 2021-01-27
condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.
PUBLISHED: 2021-01-27
HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method.