September 12, 2019

Large-scale Groupon ticket scam uncovered thanks to exposed database

By Ellen Daniel

The discovery of an exposed database usually spells disaster for the company affected, with the possibility of large fines, the loss of customer data and reputational damage at stake.

However, one database uncovered by a security research team instead had a positive impact on the companies involved, revealing a widespread fraud scheme that had been targeting ticket and voucher vendors including Groupon, Ticketmaster and TickPick for several years.

The research team, led by Noam Rotem and Ran Locar, routinely scans internet ports looking for known IP blocks to find holes in a company’s web system, as part of their large-scale web mapping project.

Through this, they uncovered an exposed database online revealing what appeared to be the details of 17 million customers, totalling 1.2 terabytes of data.

Containing the names and email addresses of customers purchasing tickets from a website using Neuroticket, a third-party mailing system supposedly used by Groupon and other ticket vendors, the database initially appeared to compromise the details of millions of customers.

However, what researchers had actually uncovered was evidence of a large-scale fraud operation after suspecting that the email addresses listed may be fake. After attempted to contact several of the owners and received no reply, indicating that they did not belong to real customers of ticket vendors, it became apparent that the database instead belonged to a third party.

Groupon ticket scam exposed

Rotem and Locar contacted Groupon, which 90% of the records belonged to, and after analysing and cross referencing the database with their own findings, Groupon’s security team linked it to a Groupon ticket scam they had been chasing since 2016.

By leaving their cloud-hosted database open to the public, fraudsters inadvertently exposed their Groupon ticket scam operation. They had opened 2 million fraudulent accounts on Groupon using fake email addresses. Harnessing stolen credit card information, they then used these fake accounts to buy tickets from sites including Groupon and Ticketmaster, before selling these on to fans online, costing the company significant revenue.

While conducting its research, the team also discovered a ransomware note within the database, demanding $400 in Bitcoin for not releasing what they believed to be customer details, suggesting that a hacker had also discovered the database and believed it to be legitimate. Their research was published on software review site VPNMentor.

The researchers concluded that the database was not in fact linked to the affected ticket vendors or Groupon. Instead, it suggested that the database was linked to email inboxes belonging to an independent party that was using them to carry out the elaborate scam, suggesting that even criminals struggle with careless cybersecurity practices.

According to the report this information could help “zero in on the entire criminal network” and could help “shut it down for good”.


Read More: Exclusive: Teletext Holidays data breach exposes 212,000 customer call recordings.