Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Mystery database left open turns out to be at heart of a huge Groupon ticket fraud ring

Yes, turns out people still use this voucher biz – who knew?

Updated We have a new twist on the "researchers find unprotected public-facing cloud-hosted database" story, as one recently uncovered archive turned out to be at the heart of a years-long fraud operation.

The folks at VPNmentor said they were confused when first encountering a mystery database that contained details on scores of accounts on ticket purchasing sites. The profiles were all seemingly interested in events at small, independent theaters and music venues.

Essentially, a bunch of crooks had assembled their own database of online accounts they had created to use for fraud – and then accidentally left that database facing the public internet.

"The breach seemed to give access to personal details of anyone purchasing tickets from a website using Neuroticket," explained the VPNmentor team, headed up to Noam Rotem and Ran Locar, on Wednesday. "Initially, we believed this vulnerability compromised customers on these websites."

Even more curious, when the team tried to track down the owners of the email addresses listed in the database, they got few responses, indicating the vast majority were fake accounts created by crims for mischief and fraud.

When efforts to tie the records to a breach of Neuroticket, Ticketmaster, or Tickpick all resulted in dead ends, the team noticed that around 90 per cent of the records also referenced Groupon.

When the VPNmentor crew got in touch with Groupon, they had their breakthrough. It turns out the accounts had all been used to purchase tickets for gigs, plays and concerts that were on offer through Groupon deals. What's more, Team VPNmentor claims, Groupon immediately recognized the purchases as being the work of a fraud ring it had been tracking since 2016.

The fraudsters in this case used an army of fake accounts and stolen credit card numbers to make bulk purchases of tickets being offered at a discount on Groupon. Those tickets were then resold by the fraudsters at full price (or at a markup) to turn a quick profit.

"Groupon had been able to close most of the accounts, but not all of them. The operation has remained resilient, despite excellent work by the company," VPNmentor's team said in their write-up.

"Groupon’s Chief Information Security Officer (CISO) estimates the number of fraudulent accounts in the network we helped uncover to be as high as 20,000."

Hacker Grant West, 27

Cybercrook hands cops £923k in Bitcoin made from selling phished deets on the dark web

READ MORE

It gets even more bizarre. When combing through the records in the database, the VPNmentor crew found a note from another hacker who had stumbled on the exposed silo.

"Claiming to have extracted information from the database, it demanded a ransom of $400 in Bitcoin, in exchange for not releasing the stolen data to the public and subsequently deleting it," the team notes.

"It seems, at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners."

UK-based bug-hunter Oliver Hough also says he came upon the database a while ago, but was unable to connect the dots with Groupon.

The moral of the story is, as always, keep track of your cloud database instances and always make sure public access is disabled. Even if you're a crook. ®

Updated to add

Since publication, Groupon has dropped us a line to stress its own systems were not compromised by criminals, and that the exposed database appears to be full of marketing emails. No more that 673 purchases were made by the crooks, Groupon added.

Furthermore, Groupon says it doesn't know if database is related to its 2016 investigation, as claimed by VPMmentor. "There are some similarities, but we have no evidence they're related or connected," a spokesperson for the voucher biz said.

Similar topics

TIP US OFF

Send us news


Other stories you might like