23
Jul 14

Feds: Hackers Ran Concert Ticket Racket

A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub.

stubhubVadim Polyakov, 30, was detained while vacationing in Spain. Polyakov is wanted on conspiracy charges to be unsealed today in New York, where investigators with the Manhattan District Attorney’s office and the U.S. Secret Service are expected to announce coordinated raids of at least 20 people in the United States, Canada and the United Kingdom accused of running an elaborate scam to resell stolen e-tickets and launder the profits.

Sources familiar with the matter describe Polyakov, from St. Petersburg, Russia, as the ringleader of the gang, which allegedly used thousands of compromised StubHub user accounts to purchase huge volumes of electronic, downloadable tickets that were fed to a global network of resellers.

Robert Capps, senior director of customer success for RedSeal Networks and formerly head of StubHub’s global trust and safety organization, said the fraud against StubHub — which is owned by eBay — largely was perpetrated with usernames and passwords stolen from legitimate StubHub customers. Capps noted that while banks have long been the target of online account takeovers, many online retailers are unprepared for the wave of fraud that account takeovers can bring.

“In the last year online retailers have come under significant attack by cyber criminals using techniques such as account takeover to commit fraud,” Capps said. “Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts.  Retooling these systems to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.”

Polyakov is the latest in a recent series of accused Russian hackers detained while traveling abroad and currently facing extradition to the United States. Dmitry Belorossov, a Russian citizen wanted in connection with a federal investigation into a cyberheist gang that leveraged the Gozi Trojan, also is facing extradition to the United States from Spain. He was arrested in Spain in August 2013 while attempting to board a flight back to Russia.

Last month, federal authorities announced they had arrested Russian citizen Roman Seleznev as he was vacationing in the Maldives. Seleznev, the son of a prominent Russian lawyer, is currently being held in Guam and is awaiting extradition to the United States.

Arkady Bukh, a New York criminal lawyer who frequently represents Russian and Eastern European hackers who wind up extradited to the United States, said the Polyakov case will be interesting to watch because his extradition is being handled by New York authorities, not the U.S. government.

“I’m not saying they won’t get some help from the feds, but extradition by state prosecutors is often a failure,” Bukh said. “In fact, I don’t remember the last time we saw a successful extradition of cybercrime suspects by U.S. state prosecutors. You have to have a lot of political juice to pull off that kind of thing, and normally state prosecutors don’t have that kind of juice.”

Nevertheless, Bukh said, U.S. authorities have made it crystal clear that there are few countries outside of Russia and Ukraine which can be considered safe havens for wanted cybercriminals.

“The U.S. government has delivered the message that these guys can get arrested anywhere, that there are very few places they can go and go safely,” Bukh said.

Tags: , , , , ,

34 comments

  1. “largely was perpetrated using using usernames”

    Small typo in 4th paragraph. The word “using” appears twice in a row

    • “online retailers are not tuned to to detect and”

      Here’s one in the fifth paragraph as well. Double “to”.

  2. Hah!

    What are all these crooks doing with all their money if they cannot go abroad to spend it? Don’t you feel sorry for the “poor” deprived ones?

  3. I heard this story on NPR this morning, but of course without the insights Krebs provides. Makes me wonder if those on the front end of things will EVER really have any possibility to get ahead of the hacking side. So many avenues to pursue in cyber fraud, from the faux tax returns to evolutions in skimmers and selling venues like the one reported here. I wonder how companies are accounting and balancing these days for the losses that must be anticipated due to cyber-shrinkage. We are foolish to think that we average folks aren’t seeing prices padded to account for it.

    • Well it seems to me that losses due to fraud are a very small fraction of these large operations total profits and I hope you are not naive enough to believe that there’s a direct relationship between prices to the consumer and operating costs …

  4. You don’t leave the safety of mother Russia when you’re running a crime ring. Do these guys not read Krebs?

    • Its hard to read anything when you spend all your time gazing at your own navel.

      Arrogance is trade and parcel for these folks. It’s why they don’t cover their tracks (because Russian language sites will prevent anyone who’s not Russian from finding them, duh), and why they travel with impunity.

    • ” Vadim Polyakov, 30, was detained while vacationing in Spain. ” The hackers can now stay safe from arrest in mother Russia and enjoy warm weather by going to Sevastopol, the Miami of Russia, also stolen property.

    • LOL These folks think “I’m a Russian – Chinese citizen, your laws mean nothing to me so I will do whatever I want and won’t even cover my tracks.”

      Then they start screaming when they get nabbed on vacation and get extradited and are told “Russian – Chinese citizenship means nothing here either … now let’s go meet your new cell block boyfriend.”

      Technically, we should just go the Isreali route … and instead oof sending an extradition team … just send an execution squad.

  5. So, how were they getting the login credentials? What’s the pattern? Weak password reset controls?

  6. Brian, Seleznev is the son of a prominent Russian lawmaker (in reality a mockery of a PM, a puppet of Putin’s administration, just like most of the russian parliament, but it’s a different story), not a lawyer

  7. This is one reason why it was impossible to get Pearl Jam tickets without going through a reseller and laying out many Ben Franklins.

    • Remember when Pearl Jam was on capitol hill testifying on credit card fees and how no one should spend more than $17 to see a Pearl Jam concert?

    • Maybe in some cities it was cost-prohibitive, but where I live there were empty seats at the Pearl Jam show. Perhaps it was because the show was on a Tuesday night, but I got my ticket off Craigslist for something like $20-25.

  8. This makes me wonder if it is safe for Americans to vacation in other countries. After all some foreign country or state within a foreign country could charge someone with a crime and the person might not even be aware that they are being pursued.

    • Absolutely. You have to figure that Russia will try to nab some American under falsified charges and then try to barter for their release with one of their own – probably the lawmaker’s son.

    • America has extradition treaties with many other countries: http://en.wikipedia.org/wiki/Extradition .

      • ” Seleznev, the son of a prominent Russian lawyer, is currently being held in Guam and is awaiting extradition to the United States.”

        Guam IS the United States. There is no extradition required here.

        • Actually, there is such a thing as extradition from one state (or, in this case, territory) to another within the United States. However, this is a matter of federal and constitutional law as opposed to negotiated treaty.

    • I wouldn’t go visiting a Russian puppet state, but the Russian government has spent most of the past decade burning bridges with the first world they’re unlikely to be able to extradite someone on fake charges.

      The first world state will demand to see the requisite documentation and authentication, and they’re pretty good at spotting falsified documentation (even Dubya couldn’t do it).

  9. May I respectfully suggest that you go to the venue’s or group’s respecitive box office directly?

    This is what I do for the few events I go to here in Portland, including the Portland Gay Mens Chorus and the Portland Winterhawks and I never had any of these types of problems.

    I also save from the service fees by going direct.

    I think that the individual venues and groups (choirs, theater groups, etc) may be ‘under the raday’ for these guys to bother with.

    Mark Allyn

    • Stephen - NYC

      Mark,
      That (saving on service fees) might be possible in a small, non-corporate venue, but going to a place like Madison Square Garden here in NYC you’d probably still have to pay the vig for the ticket, since the contracts still specify it no matter the purchase point.

    • Unfortunately, the most popular tickets in big cities are sold out electronically within minutes. Even if you were to wait at the box office on the first day of sale, near the head of the line, the best seats will already be sold out by the time you’re called to the window.

      In NY, where StubHub does a large part of its business, the problem is compounded by ticket brokers. Ticket brokers (not scalpers) are legal in New York and because they make reliably large purchases to the popular events, many venues set aside blocks of tickets for them. Then the brokers (often using StubHub and similar services) turn around and resell the tickets with markups and fees.

      Even where ticket brokers are illegal, there will always be groups buying up batches and scalping them online.

      If you’re not lucky enough to get GOOD tickets for a popular event in a big city at a box office, you’ll be overpaying one way or another. :(

  10. Small typo: Retooling these system to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.” — should be “systems”.

    Thanks, Brian. I eagerly await your daily posts and regularly forward them on to others. Thanks for being “Danger Guy” and exposing the bad hats.

  11. While I despise the malware crooks, stubhub is nothing but a scapler site. They are one of the main reasons the average person spends a fortune to see a concert or a play, or a sporting event. I feel bad for the people that may have been robbed, but not for stubhub, I hope it goes out of business.

  12. Why is it the first post on another great article by Brian is people grammar trolling him….it’s getting really old. How about you guys email him instead of posting publicly.

    • Eh, everyone makes mistakes, I don’t think they’re really bitching about his grammar just pointing them out. Brian can delete responses, if he really didn’t like seeing them they’d be gone.

      Personally before I send anything professional I try to get someone else to proofread what I wrote, to spot these kinds of things. With only one set of eyes it’s very easy to overlook grammatical mistakes. Thankfully in the digital age we don’t have to worry about spelling errors (well, so long as you take advantage of dictionary-based spell correctors), but grammar is still tricky.

      Microsoft Word really makes me laugh sometimes, it’ll flag a sentence as needing to be reworded, suggest a different sentence, then flag the suggested sentence as needing to be reworded…

  13. TheOreganoRouter.onion.it

    How come my posts are no longer showing up?

  14. My e-business clients need to wake up to the risks that these thugs pose, and this article is a textbook example why … thanks for breaking this story!

  15. Why did the Russian lawyer state that state’s attorneys had less pull than the feds in extraditions? He said they always failed.