“The breach seemed to give access to personal details of anyone purchasing tickets from a website using Neuroticket,” explained the VPNmentor team, headed up to Noam Rotem and Ran Locar, on Wednesday.<\/p>\n
“Initially, we believed this vulnerability compromised customers on these websites.”<\/p>\n
Even more curious, when the team tried to track down the owners of the exposed email addresses, they got few responses, indicating the vast majority were fake accounts.<\/p>\n
When efforts to tie the records to a breach of Neuroticket, Ticketmaster, or Tickpick all resulted in dead ends, the team noticed that around 90 per cent of the records also referenced Groupon.<\/p>\n
When the VPNmentor crew got in touch with Groupon, they had their breakthrough. It turns out the emails had all been used to purchase tickets for gigs, plays and concerts that were on offer through Groupon deals. What’s more, Groupon immediately recognized the purchases as being the work of a fraud ring it had been tracking since 2016.<\/p>\n
The fraudsters in this case used an army of fake accounts and stolen credit card numbers to make bulk purchases of tickets being offered at a discount on Groupon. Those tickets were then resold by the fraudsters at full price (or at a markup) to turn a quick profit.<\/p>\n
“Groupon had been able to close most of the accounts, but not all of them. The operation has remained resilient, despite excellent work by the company,” VPNmentor’s team said in their write-up.<\/p>\n
“Groupon\u2019s Chief Information Security Officer (CISO) estimates the number of fraudulent accounts in the network we helped uncover to be as high as 20,000.”<\/p>\n
![\"Hacker](\"https:\/\/regmedia.co.uk\/2019\/08\/23\/grantwest.jpg?x=174&y=115&crop=1\")
<\/p>\nCybercrook hands cops \u00a3923k in Bitcoin made from selling phished deets on the dark web<\/h2>\n
READ MORE<\/span><\/a><\/div>\n It gets even more bizarre. When combing through the records in the database, the VPNmentor crew found a note from another hacker who had stumbled on the exposed database.<\/p>\n “Claiming to have extracted information from the database, it demanded a ransom of $400 in Bitcoin, in exchange for not releasing the stolen data to the public and subsequently deleting it,” the team notes.<\/p>\n “It seems, at least one criminal hacker has already hacked the database. Not understanding what they discovered, they\u2019re trying to extort its owners.”<\/p>\n UK-based bug hunter Oliver Hough also says he came upon the database a while ago, but was unable to connect the dots with Groupon.<\/p>\n Ha no way! I found this last year, reported it to Groupon, tried tracing the owners, in the end I gave up<\/p>\n Nice work! https:\/\/t.co\/WAw1ugVzJ6<\/a><\/p>\n \u2014 Oliver Hough Esq. (@olihough86) September 11, 2019<\/a><\/p><\/blockquote>\n The moral of the story is, as always, keep track of your cloud database instances and always make sure public access is disabled. \u00ae<\/p>\n\n