Shelling out hundreds and thousands to buy marked-up tickets to "sold-out" events from opportunistic re-resellers on StubHub is bad enough. Yet, to add insult to injury, an international cyber fraud ring used 1,600 StubHub customers' accounts to buy, then sell, roughly $1.6 million of e-tickets. Today, law enforcement in New York State, London, and Toronto announced that 10 individuals have been charged with crimes in association with this fraud ring; so far, seven of those have been arrested.
In May 2013 StubHub discovered that over 1,000 customer accounts had been used for fraudulent ticket purchases. The fraudsters had obtained login data from other sources -- either through malware on user endpoints or by compromising the databases of sites not associated with the ticket reseller, then trying those same usernames and passwords on StubHub. Being that many people reuse the same passwords from site to site, the fraudsters could log in to StubHub just like the legitimate customers.
In a statement, StubHub said:
It is important to note, there have been no intrusions into StubHub technical or financial systems. Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of keyloggers and/or other malware on the customers' PC.
Once they were in, the fraudsters first lifted credit card data stored in some users' accounts. Then, they used other StubHub customers' accounts to actually buy the e-tickets with the first group's credit cards. This method allowed them to circumvent some of StubHub's security.
More than 1,600 accounts were accessed in all and more than 3,500 e-tickets -- to high-demand events like Knicks games and Jay-Z and Justin Timberlake concerts -- were bought to be resold. The profits were then directed to multiple PayPal accounts and off-shore bank accounts in Germany and the United Kingdom. Some of the money was further wired to money launderers in London and Toronto. All told, they are estimated to have defrauded StubHub out of $1.6 million.
StubHub contacted all the customers whose accounts had been compromised, refunded their money, and contacted law enforcement.
Today, Manhattan District Attorney Cyrus R. Vance, Jr. announced the indictment by the New York State Supreme Court of six individuals associated with the attack. (Vance's office has confirmed that the estimated losses and number of arrests have changed since the announcement was made this afternoon.)
Two of these men were arrested today. Another was arrested earlier this month by Spanish authorities while traveling abroad.
In addition to those charged by New York State, three arrests were made by the City of London Police and one more arrest was made by the Royal Canadian Mounted Police. The names of the four individuals arrested in Canada and the UK have not yet been released.
As for those indicted in the US:
- Vadim Polyakov, 30, of Russia and Nikolay Matveychuk, 21, of Russia are charged with using StubHub account information and stolen credit card numbers to buy e-tickets then sending them to a group of people in New York and New Jersey for resell. Polyakov was arrested July 3 in Spain.
- Daniel Petryszyn, 28, of New York, Bryan Caputo, 29, of New Jersey, and Daniel Petryszyn, 28, of New York, are charged with reselling stolen tickets, then sending the criminal proceeds to PayPal accounts and bank accounts in Germany and the UK. Petryszyn and Caputo were arrested this afternoon.
- Sergei Kirin, 37, of Russia, is charged with money laundering. He allegedly wired money to money launderers to London and Toronto.
"Cybercriminals know no boundaries," said District Attorney Vance in today's announcement. "They do not respect international borders or laws. Today's arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere. The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation."
City of London Police Commissioner Adrian Leppard said in today's announcement, "This represents a milestone in the working relationship we have developed with the New York County District Attorney’s Office to target what is truly international organized crime. This is an important investigation."
While law enforcement is bringing in the bad guys, security experts are quick to say that end users need to take responsibility for their own role in these crimes.
"Password reuse is the end-user's responsibility," said Andy Rappaport, chief architect of Core Security. "These customers are fortunate Stubhub reimbursed them. If you’re not already, start using a password manager."
"It looks like these attackers were able to get ahold of users’ credentials by accessing information exposed by other data breaches -- we’ve certainly seen plenty of those this year -- or from keyloggers or other malware on the account holders' computers," said John Prisco, President and CEO of Triumfant. "You’ve been told to spot and avoid social engineering attacks, but that’s easier said than done. ... Of course, if StubHub’s login process required two-factor authentication, it would be significantly more difficult for an attacker to take over your account."
"This attack highlights that the weakest point in security is not through servers but rather through consumers," said Richard Westmoreland, lead security analyst of SilverSky. "Best practices suggest people should use unique passwords for every account -- but in reality this is difficult to manage when it is common to have dozens of accounts. 'New' best practices should include the use of varying passphrases that are easy to remember for each site, such as 'I like t0ast at facebook,' 'I like t0ast at twitter,' etc., or using a reputable password manager such as 1Password or Lastpass."
"When someone reuses a password across multiple sites, it is only as strong as the weakest link," said Phillip Dunkelberger, CEO of NNL. "By using the same password to access your local pizza delivery account as you use to access your bank account, or in this case your Stubhub account, you can have serious implications for financial or other sensitive data."