After discovering a cache of 17 million emails exposed on an unsecured database, researchers with vpnMentor began to hunt for its owner — but to their surprise, they found that the database belonged not to a company, but to a sophisticated criminal network.
Cybercriminals had been both collecting emails — and creating their own — that were linked to fake accounts created on Groupon, Ticketmaster and other major online vendors. Utilizing stolen credit cards, cybercriminals opened millions of fake accounts and used them to buy tickets on various ticket vendor sites, and then resell them to others online. The scheme has been ongoing since 2016, until the fraudsters made a fatal flaw — leaving the emails open to the public on the unsecured database.
“Since 2016, they have been using a combination of email, credit-card [fraud] and ticket fraud against Groupon, Ticketmaster and many other vendors,” according to Noam Rotem and Ran Locar, researchers with vpnMentor, in a Wednesday analysis. “Groupon has been trying to shut this operation down ever since it started, but it has proven resilient.”
The enormous database contained 17 million emails and totaled 1.2 terabytes of data. Specific data that was exposed appeared to be personal details of anyone purchasing tickets from a website that was using ticket processing platform Neuroticket, as well as records from coupons, discounts, newsletter and promotional emails, and more. The millions of emails were both generated by the cybercriminals themselves and tied to the fraudulent accounts, but were also collected from corresponding interactions with ticket vendors, such as Groupon, as well as consumers who bought the resold tickets.
The majority (90 percent) of the database involved records from popular coupon and discounts website Groupon, totaling 16 million altogether.
“It’s important to note that we do not believe any of the accounts contained in this database were real customers and that no actual customer information was obtained,” a Groupon spokesperson told Threatpost. “I can’t speak for other companies.”
The other 10 percent of the database included records from both small independent venues (such as the Pacific Northwest Ballet, Fox Theatre in Georgia and the Colorado Ballet in Denver) and the internet’s biggest ticket vendors, Ticketmaster and Tickpick.
In another twist, researchers also found a ransom note embedded in the database, claiming to have extracted the information and asking for $400 in Bitcoin in return for not releasing the database to the public.
“It seems at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners,” researchers said. “This is a known issue with many open databases. It is usually triggered by automated scripts and not manually by humans.”
While initially viewing the database last month, researchers thought that it might be the result of a vulnerability in Neuroticket, the mailing system that was linked to the database.
However, upon further investigation, researchers found that certain parts of the database weren’t adding up. For instance, when randomly contacting 10 email addresses on the database, only one person replied back.
The researchers said that the database was linked to a number of bot-created accounts discovered and purged by Groupon in 2016.
Researchers also said that the criminal operation opened 2 million fraudulent accounts and monitored email inboxes that were linked to the fraudulent accounts and extracted tickets from the emails. They would then resell the tickets to innocent consumers, who sometimes may not be able to use them, due to the transactions being void or tickets being sold to multiple consumers.
Groupon for its part argues that the database and the 2016 are not linked, but instead “similar,” and that the initial number of 2 million fake accounts reported by researchers is not accurate.
“The number was nowhere near 2 million,” the Groupon spokesperson told Threatpost. “It was less than 5 percent of the total. Also, it would be more accurate to call them fake accounts as we didn’t identify any specific fraud associated with them. Just that they didn’t appear to be human. Further, we have no evidence the accounts in the database and those from 2016 are linked — just that they are similar.”
The Groupon spokesperson told Threatpost that the maximum number of transactions associated with this database was 673.
“Groupon had been able to close most of the accounts, but not all of them,” researchers said. “The operation has remained resilient, despite excellent work by the company. Groupon’s chief information security officer (CISO) estimates the number of fraudulent accounts in the network we helped uncover to be as high as 20,000.”
Researchers said that they are working to alert any other parties impacted by the breach, including customers, clients and website users. The database is no longer online.