Russian hackers hijacked StubHub accounts, sold stolen tix for Yankees games, concerts, Broadway shows, more
Russian hackers who hijacked 1,600 StubHub user accounts and stole $1 million worth of tickets were indicted by the Manhattan District Attorney Wednesday, a case that brings to light another frontier in fraud fighting -- and another systematic weakness exposed by cyber criminals.
The hackers' scheme was ingenious. They impersonated legitimate StubHub users, bought tickets to high-profile events like Yankees games, Justin Timberlake concerts, or Broadway shows, then re-sold the tickets to consumers in New York. Authorities estimate the group netted $1 million this way. Vadim Polyakov, 30, was arrested while in Spain earlier this month and New York authorities are in the process of trying to extradite him to the U.S. Three others, who live near New York, had their homes searched for evidence today.
So-called account takeover fraud is common among financial institutions -- hackers steal consumers' login information and try to transfer money to accounts they control -- but is relatively new on merchant websites. Generally, it's hazardous for criminals to hack into a retailer's website and try to send themselves stolen goods; receiving the stolen merchandise is risky. Selling e-tickets, however, leaves less of a paper trail and high-demand tickets are easy to fence.
On the list of events the hackers bought and sold tickets for: Elton John, Marc Anthony, Justin Timberlake and Jay-Z; athletic events including Yankees baseball games, Giants and Jets football games, Knicks and Nets basketball games, Rangers hockey games, and the U.S. Open; and Broadway shows, such as Book of Mormon.
The fraud means retailers might want to reconsider the anti-fraud measures they take at their websites.
Brian Krebs, among the first to report on the fraud at KrebsonSecurity.com, quoted fraud expert Robert Capp with this warning:
“Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts. Retooling these system to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time," he said.
Consumers, meanwhile, should be freshly aware that while banking login information should be carefully guarded, clever criminals want passwords from other websites, too.
"Regardless of where the case originates, nearly every cybercrime case begins with similar breaches: a stolen password, unauthorized use of a credit card, or unaccountable charges on a personal statement, for example," said Manhattan District Attorney Cyrus R. Vance, Jr.