6 Indicted in StubHub Fraud Scheme1,600 Accounts Compromised to Steal $1 Million
Three Americans and three Russians have been indicted in connection with an alleged $1 million account takeover and money laundering scheme involving more than 1,600 user accounts for StubHub, an entertainment ticket service.
See Also: The Global State of Online Digital Trust
The defendants are charged with varying degrees of money laundering, grand larceny, criminal possession of stolen property and identity theft charges, according to Manhattan District Attorney Cyrus Vance, Jr.
In March 2013, StubHub, an eBay subsidiary that operates a public website for customers to buy and sell e-tickets to various entertainment events, discovered that about 1,600 accounts were compromised by individuals who used the pre-existing credit card information associated with the accounts to purchase tickets without the legitimate cardholders' authorization, authorities say. StubHub reported the fraud and immediately implemented security measures to prevent the account takeover fraud. But investigators determined that the criminal ring was able to circumvent security protocols within the accounts by using new credit card information stolen from additional victims.
The hackers were able to access the accounts by obtaining the customers' valid logins and passwords through data breaches of other businesses or through the use of keyloggers and/or malware on the customers' PCs, StubHub says in a statement provided to Information Security Media Group.
"Once fraudulent transactions were detected on a given account, affected customers were immediately contacted by StubHub's trust and safety team and refunded any unauthorized transactions," the company says. "We also assisted customers with changing their password to secure their account from further activity."
One of the alleged Russian conspirators in the scheme, Vadim Polyakov, was arrested July 3 in Spain by authorities who learned he was traveling in the country. He is awaiting extradition in Spain, an official familiar with the matter told Information Security Media Group. Polyakov, along with a co-conspirator, are charged with using the information from the StubHub accounts and stolen credit card numbers to purchase more than 3,500 e-tickets, which were then sent to individuals in New York and New Jersey to be resold within hours of an event, authorities say.
The New York and New Jersey suspects were then instructed by Polyakov to send the money obtained by reselling the tickets to multiple PayPal accounts controlled by Polyakov and his associates. Thousands of dollars were also split into separate payments and sent by wire transfer to other money launderers in London and Toronto, according to authorities.
London authorities arrested three men suspected of being involved in money laundering. The Royal Canadian Mounted Police also executed a search warrant and arrested an additional suspected money-launderer in Toronto.
"Today's arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere," Vance says. "The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation."
In another recent security incident, eBay in May urged its 145 million customers to change their passwords following a cyber-attack that compromised encrypted passwords and other personal information (see: eBay Sees Revenue Decline Due to Breach).