eBay was the target of cyber criminals again, New York law enforcement revealed on Wednesday. Police arrested six people in connection with an international cyber crime ring whose members hijacked StubHub user accounts. The Manhattan District Attorney said more than 1,600 StubHub users and credit cardholders were victimized by the scheme, and the criminals were believed to have defrauded StubHub out of $1 million.
StubHub, a ticket marketplace belonging to eBay, blamed the account takeovers on data breaches of other businesses. It discovered the attack in March 2013. Criminals allegedly took over user accounts, stole personal identifying information, used victims’ credit cards to make fraudulent electronic ticket (e-ticket) purchases, and transferred the proceeds through a global network of accomplices in the U.S., UK, Russia, and Canada.
The defendants are charged in New York State Supreme Court with varying degrees of Money Laundering, Grand Larceny, Criminal Possession of Stolen Property, and Identity Theft, among other charges.
The attack garnered the attention of print, TV and web media outlets, and StubHub responded on social networking sites. The company tweeted a link to this post on Facebook:
Fans, Score one for the good guys – another victory for fans and NY’s finest. To be clear, your accounts are secure and there have been no intrusions into our technical or financial systems. A year ago, less than .006% of customer accounts were accessed by cyber criminals who had obtained customers’ logins and passwords through data breaches of other businesses. Our Trust and Safety team immediately contacted affected customers, refunded any unauthorized transactions and assisted with changing passwords and securing their accounts.
We’ve been working with New York City law enforcement and agencies around the world to bring these fraudsters to justice. We applaud the efforts of law enforcement agencies worldwide which culminated in the arrests announced today. StubHub has always been and remains committed to maintaining safe and open markets for fans to buy and sell tickets.
According to the DA’s announcement, StubHub discovered that more than 1,000 accounts were compromised by individuals last year who used the preexisting credit card information associated with the accounts to purchase tickets without the legitimate cardholders’ authorization. StubHub reported the fraud and immediately implemented security measures to prevent these intrusions, but investigators learned that the criminal ring was able to circumvent security protocols within the accounts by using new credit card information stolen from additional victims, instead of the original victims’ preexisting card information. After investigating the receipts and transaction records of more than 1,600 illegally accessed accounts, analysts in the DA’s Office were able to trace the exchanges to internet protocol addresses, PayPal accounts, bank accounts, and other financial accounts used and controlled by the indicted individuals, it claims.