During an ongoing, large-scale web mapping project researchers at vpnMentor led by Noam Rotem and Ran Locar discovered a cache of 17M emails and 1.2 terabytes of data on an unsecured database used by a sophisticated criminal network to defraud Groupon, Ticketmasters and many other vendors.
90% of the database involved records from popular coupon and discounts website Groupon
Researchers contacted Groupon and it was confirmed that 90% of the email database was from the platform. Hackers used email, credit card and ticket fraud to conduct the attacks by registering 2 million accounts on the platform in 2016 alone and Groupon was chasing them since that time. Most of these accounts were closed by Groupon, but not all.
How it worked:
Hackers used the accounts to purchase tickets on the platform and resell them online to others. The operation monitored their email inboxes linked to the fraudulent accounts, filtering relevant emails into the Elastisearch database for analysis. From there, criminals extracted tickets from the emails – in PDF form for Groupon, for example – and ignored any other irrelevant emails.
” They would then, according to Groupon, resell these tickets to unsuspecting members of the public.
Also included in the breached database were support emails and chat logs from Groupon, regarding refunds issued to customers. ”