eBay’s StubHub ransacked for over $1 million, international crime ring arrested

library
crime | hacking | security

US police have indicted six people across four countries on charges of defrauding eBay’s StubHub for over $1 million.

The office of Manhattan District Attorney Cyrus R. Vance said in a press release on Wednesday that the suspects were allegedly cogs in an international crime ring that broke into more than 1,600 accounts.

The six were indicted on charges of using the StubHub accounts’ credit card details to buy tickets without the owners’ permission.

The charges include money laundering, possession of stolen property and identity theft.

Those arrested include a Russian national who was detained while vacationing in Spain, along with three others arrested in London, two in the United States and one in Canada.

Two of the suspects, Vadim Polyakov, 30, and Nikolay Matveychuk, 21, allegedly bled information from StubHub accounts and stolen credit card numbers to buy more than 3,500 e-tickets that were then funneled to accomplices in New York and New Jersey to be resold within hours of an event.

Those tickets were red-hot, and not just because they were swindled out of StubHub.

The acts the crooks allegedly swiped tickets for included concerts with big, sought-after names – among them, Elton John, Marc Anthony, Justin Timberlake and Jay-Z.

Other events included Yankees baseball games, Giants and Jets football games, Knicks and Nets basketball games, Rangers hockey games, and the US Open.

The cyber thieves also allegedly bilked StubHub accounts for Broadway shows, including Book of Mormon.

Investigators have been on the trail of this particular crime ring since March 2013, when StubHub reported that it had discovered more than 1,000 compromised accounts.

StubHub reported the fraud and implemented security measures to prevent the intrusions.

The crooks got around the security protocols, however, by plugging new credit card information stolen from other victims into the hijacked accounts, rather than relying on the original victims’ card information.

The DA’s Office said that after it had investigated receipts and transaction records of more than 1,600 illegally accessed accounts, its analysts traced the exchanges to IP addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by those it indicted on Wednesday.

This is the second time this year that eBay’s been hit.

In May, the company owned up to a password breach, though it wasn’t too horrific: eBay said at the time that forensics didn’t show any evidence of unauthorized access or compromise to personal or financial information for PayPal customers – PayPal being eBay’s payment arm.

This time around, eBay said its servers hadn’t been broken into.

Rather, StubHub spokesman Glenn Lehrman told news outlets, it was down to the customers themselves – either they had reused passwords or had nastyware on their own PCs:

These legitimate customer accounts were accessed by cybercriminals who had obtained the customers’ login and password either through data breaches of other websites and retailers, or through the use of key-loggers and/or other malware on the customer’s own PC.

Once fraudulent transactions were detected on a given account, customers were immediately contacted by Stubhub’s trust and safety team, who refunded any unauthorised transactions.

It’s a shame that users all too often make it easy for crooks to just plug in credentials leaked from other breaches.

It’s yet another example of why passwords shouldn’t be reused.

But isn’t it also a shame that businesses such as eBay/StubHub aren’t proactively protecting users against password reuse?

After all, after Adobe’s mammoth breach, Facebook locked user accounts in a closet (well, made them less public, at any rate) if it found that they were using the same passwords/emails.

Password reuse is, apparently, a given. No matter how much we lecture, a (hopefully shrinking!) percentage of people are going to commit this security sin.

Should we start expecting businesses like eBay to plan for that? Or should we just let password reusers suffer the consequences of their redundancy?