eBay's StubHub ransacked for over $1 million, international crime ring arrested

Filed Under: Data loss, Featured, Law & order, Malware, Security threats, Uncategorized

StubHub logoUS police have indicted six people across four countries on charges of defrauding eBay's StubHub for over $1 million.

The office of Manhattan District Attorney Cyrus R. Vance said in a press release on Wednesday that the suspects were allegedly cogs in an international crime ring that broke into more than 1,600 accounts.

The six were indicted on charges of using the StubHub accounts' credit card details to buy tickets without the owners’ permission.

The charges include money laundering, possession of stolen property and identity theft.

Those arrested include a Russian national who was detained while vacationing in Spain, along with three others arrested in London, two in the United States and one in Canada.

Two of the suspects, Vadim Polyakov, 30, and Nikolay Matveychuk, 21, allegedly bled information from StubHub accounts and stolen credit card numbers to buy more than 3,500 e-tickets that were then funneled to accomplices in New York and New Jersey to be resold within hours of an event.

Those tickets were red-hot, and not just because they were swindled out of StubHub.

Tickets. Image courtesy of Shutterstock

The acts the crooks allegedly swiped tickets for included concerts with big, sought-after names - among them, Elton John, Marc Anthony, Justin Timberlake and Jay-Z.

Other events included Yankees baseball games, Giants and Jets football games, Knicks and Nets basketball games, Rangers hockey games, and the US Open.

The cyber thieves also allegedly bilked StubHub accounts for Broadway shows, including Book of Mormon.

Investigators have been on the trail of this particular crime ring since March 2013, when StubHub reported that it had discovered more than 1,000 compromised accounts.

StubHub reported the fraud and implemented security measures to prevent the intrusions.

The crooks got around the security protocols, however, by plugging new credit card information stolen from other victims into the hijacked accounts, rather than relying on the original victims’ card information.

The DA's Office said that after it had investigated receipts and transaction records of more than 1,600 illegally accessed accounts, its analysts traced the exchanges to IP addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by those it indicted on Wednesday.

This is the second time this year that eBay's been hit.

In May, the company owned up to a password breach, though it wasn't too horrific: eBay said at the time that forensics didn't show any evidence of unauthorized access or compromise to personal or financial information for PayPal customers - PayPal being eBay's payment arm.

This time around, eBay said its servers hadn't been broken into.

Rather, StubHub spokesman Glenn Lehrman told news outlets, it was down to the customers themselves - either they had reused passwords or had nastyware on their own PCs:

These legitimate customer accounts were accessed by cybercriminals who had obtained the customers' login and password either through data breaches of other websites and retailers, or through the use of key-loggers and/or other malware on the customer's own PC.

Once fraudulent transactions were detected on a given account, customers were immediately contacted by Stubhub's trust and safety team, who refunded any unauthorised transactions.

It's a shame that users all too often make it easy for crooks to just plug in credentials leaked from other breaches.

It's yet another example of why passwords shouldn't be reused.

But isn't it also a shame that businesses such as eBay/StubHub aren't proactively protecting users against password reuse?

After all, after Adobe's mammoth breach, Facebook locked user accounts in a closet (well, made them less public, at any rate) if it found that they were using the same passwords/emails.

Password reuse is, apparently, a given. No matter how much we lecture, a (hopefully shrinking!) percentage of people are going to commit this security sin.

Should we start expecting businesses like eBay to plan for that? Or should we just let password reusers suffer the consequences of their redundancy?

Please do tell us what you think in the comments section below.

Image of tickets courtesy of Shutterstock.

, , , , , ,

You might like

2 Responses to eBay's StubHub ransacked for over $1 million, international crime ring arrested

  1. Not laundering that money very well were they?

  2. Anonymous · 443 days ago

    Wait, they put other stolen credit card information into the hijacked accounts? Why? Just create a new account! And if an account is known to be hijacked, that should have locked the account until the real owner could arrange for a new password, anyway.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.