Discovery of unsecured database reveals ticket fraud scheme
- Security researchers discovered an exposed database with 17 million email addresses. On investigation, they found that the database belonged to a group of cybercriminals.
- The scheme involves hackers purchasing tickets from various sites with stolen credit card information, and then reselling them online.
What is the story?
Noam Rotem and Ran Locar, researchers at vpnMentor, found an unsecured database with 17 million records and 1.2 terabytes of data.
- The breach allowed access to the personal details of users purchasing tickets from any website that uses the Neuroticket software.
- This impacted popular ticket vendors such as Groupon, Ticketmaster, and Tickpick apart from various small independent venues.
- The researchers observed that many email addresses in the database did not seem authentic. To test this, they contacted ten email addresses randomly but heard back from only one.
- Most of the records in the database involve Groupon, a popular website for coupons and discounts.
- After further investigation and contacting Groupon, the researchers discovered that the database belonged to a group of criminals.
How did the criminals operate?
The criminals created accounts with fake information on the ticketing sites. They purchased tickets using stolen credit card information and then sold these tickets to fans.
To do this, the fraudsters filtered relevant emails from their email account into the Elastisearch database and extracted the tickets.
A ransom note was found embedded in the database. It demanded a ransom of $400 in Bitcoin, for not publicly exposing the data and later deleting it.
“It seems at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners,” researchers said.
What actions are being taken?
Groupon associated the database with a criminal network they’ve been after since 2016.
- It is reported that nearly 2 million fake Groupon accounts were created in 2016. These accounts were used to buy tickets using stolen information and then resell them.
- Although Groupon has worked on closing as many such accounts as possible, the operation has continued to persist.
- Working with the vpnMentor research team, Groupon has made progress in dealing with this breach.