Six individuals have been indicted in connection to a fraudulent scam that involved hacking into more than 1,600 StubHub accounts and purchasing electronic tickets to high-profile events, using the victims’ credit card.

The fraud has been estimated to $1 million / €743,000, and the profit from selling the stolen tickets was then laundered mainly through legitimate banks in the United Kingdom by several individuals.

StubHub is an eBay subsidiary that sells digital tickets for different entertainment events, such as concerts and sports events. The incident occurred last year, in March.

At first, the cybercriminals used the credit card details available in the compromised StubHub accounts to purchase the e-tickets. However, the company learned about the incident and implemented additional security measures to prevent the intrusions.

“However, investigators learned that the criminal ring was able to circumvent security protocols within the accounts by using new credit card information stolen from additional victims, instead of the original victims’ preexisting card information,” a statement from the New York County District Attorney’s office says.

Thousands of online tickets were purchased this way, for shows such as those of artists Jay-Z, Justin Timberlake and Elton John, Broadway shows or sport games. They were then sent to accomplices in the US to re-sell them at the event site.

An investigation determined that the StubHub systems were not breached, and the credentials for the compromised accounts are believed to have been acquired from other sources.

Robert Capps, an executive at cyber security company, RedSeal Networks, and former head of Global Trust and Safety of StubHub, said that the “methods used to access StubHub were nearly identical to methods employed against other online retailers during the same period.”

After obtaining the login information, the crook would impersonate the owner of the account and “make a transaction using a stored payment card, or add a stolen credit card and complete a purchase.”

“Modern e-commerce websites that are in compliance with the Payment Card Industry (PCI) rules for data security, do not expose enough data about the stored payment cards to make use of them elsewhere. In StubHub's case, they only displayed the card type (Visa, MC, etc), the last four digits of the card number, and the expiration date.

“This is consistent with best practices set out by the credit card industry. Once a compromised account is identified, it can be returned to the legitimate customer by simply resetting their password,” Capps said via email.

There are various ways the cybercriminals could have used to obtain the login credentials. Breaching other websites’ data, collecting the information straight from the user’s computer via malware or using phishing schemes are only a few of the methods that could have been used.

Vadim Polyakov, who is considered to be the leader of the criminal organization, has been arrested while in vacation in Spain, after authorities learned about the planned trip from his Facebook account.

The New York County District Attorney’s office said that three other men were also arrested in London, on suspicion of money laundering offenses. In Toronto, Canada, another suspect was taken into custody on similar charges.
Kepler Reviewed by Kepler on . 1,600+ Accounts for eBay’s StubHub Hacked in $1 Million (€743,000) Fraud http://i1-news.softpedia-static.com/images/news-700/1-600-Accounts-for-eBay-s-StubHub-Hacked-in-1-Million-Fraud.jpg Six individuals have been indicted in connection to a fraudulent scam that involved hacking into more than 1,600 StubHub accounts and purchasing electronic tickets to high-profile events, using the victims’ credit card. The fraud has been estimated to $1 million / €743,000, and the profit from selling the stolen tickets was then laundered mainly through legitimate Rating: 5