Leaky database full of Groupon emails turns out to belong to crooks

Having stumbled upon what initially looked like a bug in a ticket processing platform used by Groupon and other big online ticket vendors like Ticketmaster and TickPick, vpnMentor’s research team, led by Noam Rotem and Ran Locars, determined that it actually belonged to crooks who were ripping off those ticket sellers… and doing an #epicfail at locking down their database-o’-fraud.

As part of a web-mapping project, the researchers would scan internet ports looking for known IP blocks and use those blocks to see if there were holes in a company’s web system.

That’s when they came upon the huge stash of not-so-private data – 17 million publicly available emails and 1.2 terabytes of data.

They found the goodies publicly posted in an Elasticsearch cloud database that somebody forgot to slap a password onto.

It looked like the breach gave unrestricted access to the personal details of anyone purchasing tickets from a website using NeuroTicket, which appeared to be a mailing system linked to the database.

Initially, Rotem and Locar believed that the vulnerability compromised customers of a slew of small, independent performance venues – including a number of ballet spaces and theaters. They believed two of the biggest online ticket vendors were also affected: Ticketmaster and TickPick.

But the bulk of the database – 90%, or 16 million records – pertained to Groupon, the popular coupon and discounts website. They sussed that out by the presence of Groupon’s newsletters and promotional emails among the records.

Neuro-WHO?

But the researchers’ suspicions were aroused when they started to look around for information on that NeuroTicket email system attached to the Elasticsearch database. You’d be suspicious too, were you to do the same – among the top search results I found was a bizarre YouTube video with rally bed spahlling and turble gremar & sintax and a “NOT SECURE” site with a bunch of other Neuro-somethings listed.

What I now consider to be an understatement from the researchers:

Finding any information on Neuroticket proved difficult. Considering it seemed a popular piece of software, it didn’t even have a website.

(…though its nonexistent website has been rated favorably by a “ScamAdviser” site… in spite of having 0 reviews …so, buyer beware if you use one of these reputation rating sites before you buy a domain!)

Rotem and Locar also began to question the validity of the email addresses in the database. To test whether they were fake or not, they randomly selected 10 of them and wrote to the supposed owners.

Only one person replied to us.

Finally, they reached out to Groupon, and that’s when they discovered that what they’d uncovered wasn’t a run-of-the-mill database leak. Rather, they’d exposed what they called “a massive criminal operation that has been defrauding Groupon and other major online ticket vendors at least since 2016.”

Groupon’s three-year chase

After Groupon’s security team took a look at the database, cross-referencing it with information from their internal systems, they linked it to a criminal network they’ve been chasing for three years.

Back in 2016, the criminal network opened two million fraudulent accounts on Groupon. They used stolen credit cards to buy tickets through the Groupon accounts, and then they’d turn around and resell them to unsuspecting buyers.

Groupon had managed to close most, but not all, of the bogus accounts. Groupon’s Chief Information Security Officer (CISO) estimated that there were some 20,000 of these fake accounts in the network that the researchers helped to uncover.

How the ticket reselling fraud worked

The Elasticsearch database held emails that had been sent to the bogus accounts and filtered out for further analysis by the crooks. The researchers said that the crooks would extract tickets from the emails, which, for example, came in PDFs from Groupon.

Then, they’d sell those tickets, which are sometimes worthless when you show up at the event.

What do you mean, my ticket isn’t valid?!

CNET talked to Jack Slingland, vice president of operations at TickPick, who declined to comment on the researchers’ findings but who did say that the company is always on the lookout for fraud. Slingland said that customers who purchase tickets resold through TickPick are guaranteed comparable tickets if they find they’ve been sold a fraudulent ticket.

That guarantee is off the table, though, if the ticket comes from another ticket-selling site, he said.

The ransom note

The crooks’ database wasn’t just up on a website, visible to anybody with the right IP address. It was up on a website, unprotected, so that another bunch of crooks could come along and slurp up all the data… and then try to ransom it to the crooks who gathered it.

That’s exactly what happened. Embedded in the database, Rotem and Locar found a ransom note. The data kidnapper claimed to have extracted information from the database, and they demanded a ransom of $400 in Bitcoin, in exchange for not releasing the stolen data and subsequently deleting it.

It seems, at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners.

Rotem and Locar said that this is a known issue with many open databases and is usually triggered by automated scripts, as opposed to being an attack that was manually launched by humans.

In other words, it was a brainless attack, launched against a database run by crooks who were mud-dumb about infosec. Isn’t it refreshing to see a reminder that cybercriminals aren’t always all that slick?

The database is now offline.