StubHub Helps Crack International Cybercrime Ring

July 24, 2014

StubHub Helps Crack International Cyber Crime Ring Yesterday, several people were arrested, accused of being part of an international cybercrime ring that compromised more than 1,000 accounts at the online ticket marketplace StubHub and stole more than $1 million.

In a press release issued Wednesday, StubHub emphasized that there have been no intrusions into the company’s technical or financial systems, but that customer accounts were accessed using data stolen in other breaches. Eric Boles, senior manager of the Global eCrime Investigations Unit at StubHub, reiterated that when he explained to StubHub’s role in spotting the fraud and bringing evidence to the police.

"I want to make clear that we have no evidence through this investigation that any of our systems were compromised," Boles said.

According to StubHub, legitimate customer accounts were accessed by cybercriminals who had obtained the customers’ valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers’ PCs. The fraudsters then bought tickets for events through the online ticket reseller with stolen credit-card information.

Boles said the probe began around the spring of 2013, when StubHub became aware of a small number of accounts that had been illegally taken over by fraudsters. Since then, the San Francisco-based company, which is owned by eBay, has been working closely with law enforcement agencies around the world to track down and prosecute the criminals.

In a press release issued yesterday, Manhattan District Attorney Cyrus R. Vance, Jr. announced the indictment of six individuals in connection with the cybercrime ring. The suspects are accused of stealing personally identifiable information, using victims’ credit cards to make fraudulent electronic ticket purchases and transferring the proceeds through a global network of accomplices in the United States, United Kingdom, Russia, and Canada, the release states.

"The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation," Vance said. "I thank all of our partners, including the City of London Police, Royal Canadian Mounted Police, the United States Secret Service, and the NYPD for their integral assistance with this investigation."

City of London Police Commissioner Adrian Leppard said: "This is an important investigation, targeting cybercriminals who are believed to have defrauded StubHub out of $1 million by hacking its United States’ customers’ accounts to fraudulently purchase and sell tickets, and then laundered their criminal profits through legitimate UK bank accounts. The coordinated arrests in New York and London highlight how law enforcement will work globally to protect legitimate businesses and consumers from cyber-enabled fraud through the relentless pursuit of suspected criminals."

Boles praised all the agencies involved for their efforts during the investigation, which he said is continuing and may lead to more arrests.

Of the suspects arrested in the U.S., three are from Russia, two are from New Jersey and one is from New York City, authorities said. Three other individuals were arrested in Britain and another in Canada, according to news accounts.

Boles said that when it came to this investigation, it helped that his company was ahead of the curve as far as pursuing and prosecuting cybercriminals involved in other unrelated cases. He also credited the strong collaborative effort between StubHub personnel and law enforcement agencies during the probe.

"The way I see it, private industry needs to do more of this," he noted.

Boles pointed out that everyone on his team has been involved with the probe at one level or another, and that personnel from other StubHub departments have also assisted.

"It’s definitely been a team effort on StubHub’s part," he said.

On Monday, will present an exclusive article featuring StubHub’s Eric Boles and others detailing how StubHub and, increasingly, other retailers are fighting online fraud the old fashioned way: they’re spotting fraud, building credible cases and getting law enforcement involved to arrest and prosecute fraud rings like the one detailed here. If you’re a merchant, learn how using loss-prevention techniques rooted in the brick-and-mortar world alongside cutting-edge technology can reduce fraud far better than software alone.