Six men charged in StubHub cyber-theft case

Six individuals have been charged in the US in connection with an international cybercrime ring that was able to take over StubHub user accounts, steal personal identifying information, use victims’ credit cards to make fraudulent electronic ticket purchases, and transfer the proceeds through a global network of accomplices in the United States, United Kingdom, Russia, and Canada.

Stubhub was defrauded of around $1 million.

According to the indictment, StubHub, an eBay subsidiary that operates a public website and digital marketplace for customers to buy and sell e-tickets to various entertainment events, discovered that more than 1,000 accounts were compromised by individuals who used the preexisting credit card information associated with the accounts to purchase tickets without the legitimate cardholders’ authorization.

StubHub reported the fraud and immediately implemented security measures to prevent these intrusions, known as “Account Take-Over” fraud. However, investigators learned that the criminal ring was able to circumvent security protocols within the accounts by using new credit card information stolen from additional victims, instead of the original victims’ preexisting card information.

After investigating the receipts and transaction records of more than 1,600 illegally accessed accounts, analysts in the Manhattan DA’s Office were able to trace the exchanges to internet protocol addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by the indicted individuals.

Vadim Polyakov, 30, and Nikolay Matveychuk, 21, are charged with using information taken from StubHub accounts and stolen credit card numbers to purchase more than 3,500 e-tickets that were sent to a group of individuals in New York and New Jersey to be resold within hours of an event.

These events included some of New York’s most popular and sought-after events, such as concerts featuring Elton John, Marc Anthony, Justin Timberlake and Jay-Z; athletic events including Yankees baseball games, Giants and Jets football games, Knicks and Nets basketball games, Rangers hockey games, and the U.S. Open; and Broadway shows, such as Book of Mormon.

Daniel Petryszyn, 28, Laurence Brinkmeyer, 29, and Bryan Caputo, 29, are charged with reselling stolen tickets that they received from Polyakov and his associates. As instructed by Polyakov, criminal proceeds from the resale of stolen tickets were divided and directed to multiple PayPal accounts controlled by Polyakov and his associates, as well as multiple bank accounts in the United Kingdom and Germany.

One of these bank accounts belonged to Sergei Kirin, 37, a Russian national who advertised his money-laundering services online. Polyakov directed Petryszyn, Brinkmeyer, and Caputo to send payments to Kirin, who retained a percentage of the money as his fee. Thousands of dollars were also split into separate payments and sent by wire transfer to other money-launderers in London, England and Toronto, Canada.

On July 1, the DA’s Office determined that Polyakov and a friend were traveling in Spain. Within hours of confirming his presence in the country, Interpol issued an international Red Notice for his arrest. Two days later, Spanish authorities working with United States Secret Service agents arrested Polyakov outside of his hotel near Barcelona.

On Wednesday, investigators from the DA’s Office, NYPD, United States Secret Service, Bergen County, and Hudson County, executed search warrants in New York and New Jersey at the residences of Petryszyn, Brinkmeyer, and Caputo for additional evidence of their participation and involvement in the scheme.

Abroad, City of London Police detectives investigating what they suspect to be the proceeds of criminal activity being laundered through legitimate UK bank accounts arrested three men. The men, aged 27, 39, and 46, were arrested in London on suspicion of money laundering offenses and taken to local police stations for questioning. Royal Canadian Mounted Police also executed a search warrant and arrested an additional suspected money-launderer in Toronto.

The defendants are charged in New York State Supreme Court with varying degrees of Money Laundering, Grand Larceny, Criminal Possession of Stolen Property, and Identity Theft, among other charges.

“As Stubhub’s 1,000 customers join those of Adobe, Snapchat, Michaels and Neiman Marcus in an already long list of 2014 data breaches, today’s news should act as yet another reminder that a different approach to data security is urgently required,” Paul Ayers, VP EMEA, Vormetric, commented for Help Net Security.

“The only solution is for businesses to ensure they have sophisticated security intelligence solutions in place – capable of providing continuous, real-time monitoring of their IT systems. Only by doing so will they be alerted to unusual or anomalous behavior and access patterns as soon as they happen, which may indicate an external attack or a malicious insider, and respond as necessary. In turn, encryption of all data, regardless of where it resides, is a must – ensuring that no matter whose hands it falls into, it remains illegible and essentially useless.”

“This action only solidifies the claim that cooperation between countries against a common threat can take down walls previously blocking the path of justice. Of course, we will see a resurgence in a slightly different form because of the lucrative business would-be criminals find in crime, but at least they know that try as they might, even if they happen to achieve minor victories, it is all for naught once they show up on the radar of those who seek to bring peace and safety to our digital world,” Adam Kujawa, head of Malware Intelligence at Malwarebytes Lab, told Help Net Security.

“All it takes is a small leak in a submarine to bring down the ship, in many cases that is all that law enforcement has to go on when pursuing operations against criminals. The biggest issue the cybercrime world has is that higher level, more professional criminals will always have to deal with less professional customers at some point and in doing so risk their own security. In addition, the greed and opportunity that comes along with cybercrime puts a lot of criminals out of the more paranoid mindset and forces them to do business with less secure customers, inevitably bringing their enemy (undercover law enforcement officers) into their graces, starting a chain of events that gets them caught.”