After discovering a cache of 17 million emails exposed on an unsecured database, researchers with vpnMentor began to hunt for its owner — but to their surprise, they found that the database belonged not to a company, but to a sophisticated criminal network.
Cybercriminals had been both collecting emails — and creating their own — as part of a major fraud scheme targeting Groupon, Ticketmaster and other major online vendors. Utilizing stolen credit cards, cybercriminals opened millions of fake accounts and used them to buy tickets on various ticket vendor sites, and then resell them to others online. The scheme has been ongoing since 2016, until the fraudsters made a fatal flaw — leaving the emails open to the public on the unsecured database.
“Since 2016, they have been using a combination of email, credit-card [fraud] and ticket fraud against Groupon, Ticketmaster and many other vendors,” according to Noam Rotem and Ran Locar, researchers with vpnMentor, in a Wednesday analysis. “Groupon has been trying to shut this operation down ever since it started, but it has proven resilient.”
The enormous database contained 17 million emails and totaled 1.2 terabytes of data. Specific data that was exposed appeared to be personal details of anyone purchasing tickets from a website that was using ticket processing platform Neuroticket, as well as records from coupons, discounts, newsletter and promotional emails, and more. The millions of emails were both generated by the fraudsters themselves and tied to the fraudulent accounts, but were also collected from corresponding interactions with ticket vendors, such as Groupon, as well as consumers who bought the resold tickets.
The majority (90 percent) of the database involved records from popular coupon and discounts website Groupon, totaling 16 million altogether.
The other 10 percent of the database included records from both small independent venues (such as the Pacific Northwest Ballet, Fox Theatre in Georgia and the Colorado Ballet in Denver) and the internet’s biggest ticket vendors, Ticketmaster and Tickpick.
In another twist, researchers also found a ransom note embedded in the database, claiming to have extracted the information and asking for $400 in Bitcoin in return for not releasing the database to the public.
“It seems at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners,” researchers said. “This is a known issue with many open databases. It is usually triggered by automated scripts and not manually by humans.”
While initially viewing the database last month, researchers thought that it might be the result of a vulnerability in Neuroticket, the mailing system that was linked to the database.
However, upon further investigation, researchers found that certain parts of the database weren’t adding up. For instance, when randomly contacting 10 email addresses on the database, only one person replied back.
Researchers then contacted Groupon, whose security team linked the database to an existing criminal network they had already been chasing since 2016.
According to Groupon, in 2016, the criminal operation opened 2 million fraudulent accounts. The operation monitored email inboxes that were linked to the fraudulent accounts and extracted tickets from the emails. They would then resell the tickets to innocent consumers, who sometimes may not be able to use them, due to the transactions being void or tickets being sold to multiple consumers.
“Groupon had been able to close most of the accounts, but not all of them,” researchers said. “The operation has remained resilient, despite excellent work by the company. Groupon’s chief information security officer (CISO) estimates the number of fraudulent accounts in the network we helped uncover to be as high as 20,000.”
Researchers said that they are working to alert any other parties impacted by the breach, including customers, clients and website users. The database is no longer online.