Customers of UK ticketing agency TicketWeb, a subsidiary of TicketMaster, received phishing emails from the company over the weekend after its direct email marketing system was hacked. Users received an email that told them their current version of Adobe Acrobat Reader was out of date, and asked them to upgrade to the 2012 …
Points for TicketWeb?
Hack shouldn't have happened - but at least they did the right thing ASAP. Many companies would try to hide it instead.
Not to dismiss the risks here
but as described here this doesn't sound like a very compelling ploy:
"Users received an email that told them their current version of Adobe Acrobat Reader was out of date, and asked them to upgrade to the 2012 version. Within the email was a link to the upgrade that took them to a third-party website where they were asked for personal information, including their card details."
a) why would TicketMaster be telling you that Acrobat is out of date?
b) why would you need to put in your credit card numbers to get an Acrobat update?
Again, not to trivialise this but (unless this was done with a bit more finesse than described here) hopefully relatively few people will have fallen for it.
I guess having your e-mail address stolen for spam purposes (I assume?) is pain enough in any case.
I received a couple and smelled a rat. Not that difficult a rat to smell. As you say, Ticketweb asking me to update Acrobat Reader is odd. I am a bit miffed about the deulge of spam I can now expect.
Fessing up to the breach (and quickly) is to Ticketweb's credit, though. Keeping quiet about it would've been a lot more helpful to the spamming basts wot done it.
So a qualified thumbs up.
A, Well it showed up as Adobe Acrobat Reader in my email and only could see the proper details - From: Adobe Acrobat Reader (MAILINGS@TICKETWEB.CO.UK) - when opened.
B, Always surprises me what people will tell you if you just ask. "what's the password for that?" "oh just use my personal one, it's.."
Although both ended up in my junk mail anyway so didn't open either.
Wrote :- why would TicketMaster be telling you that Acrobat is out of date?
I don't know about you, but I am always having websites nagging me that my Acrobat or Browser or Flash player is out of date. It may be because I am using the versions that run under Linux. My reaction is to ignore the advice or go elsewhere if the site won't work. If the site offers feedack I also tell them to f--k off.
So what information did they have access to?
I initially thought they did a data grab and then spammed the addresses from elsewhere but the spam emails originated from the ticket master system itself.
The final 'adobe' server address was even wrapped up in the ticket master tracking code ie...
I wonder what data was actually held on the servers they had access to?
Hmm...I reported the issue to Ticketmaster on Saturday morning. They didn't inform users until Sunday.
Do you recall what time you notified them? tnx
30 hours to fix a server- wtf
I for one and not happy with the way that they responded.
I am peed off that they failed to adequately looked after my info but I appreciate that these things happen. What has annoyed me the most is their lack of honesty.
Any one who has ever purchased from ticketwebUk got an email, even those not opted into their mailing lists. I had only ever used their service once (i purchased tickets in 2006) and was not on any direct mail list
The malicious emails were sent at 6.30 on Saturday. Some of the recipients would have been TicketwebUk IT staff.
It took them almost 11 hours to send out the warning email.
It took them 17 hours to set up a facebook message. For the first couple of hours they did try to respond to questions but admitted that they didn't fully understand if the links were malicious.
They declined to respond when asked why their servers were STILL redirecting customers to the malicious site.
It took then over 30 hours to plug the hole in their server, this contrasts with their claim (via their help pages) that they fixed the problem on Saturday.
They state that no info, including email addresses, were passed to the toads, again they are being less than honest. Anyone who clicked on the link had their email address and customer ID passed on to ticketmaster MailMaster site and then forwarded to the fake site.
There will be a number of customers that clicked on the link but did not submit their personal details. As a result of Ticketwebs misinformation they will assume that no info has been passed.on.
The attacks on other servers recently might have been more serious but at least Sony et al took their servers off line. i can only imagine that Ticketmaster continued to run servers that they knew were compromised for financial reasons.
Not a happy bunny...
I'm [fairly] sure that I'd unsubscribed from TicketWeb emails, after receiving some generally spammy comms about stuff I wasn't interested in.
I still got the Acrobat mail through on Saturday though, which shows that 'unsubscribe' doesn't mean 'delete from database'.
That's probably not uncommon but, yknow; if you're going to keep me on file indefinitely, look after my data better.
I didn't get the adobe related mail but got some other probable malware stuff among the lines of "open this important message" with a .jpg attached. Which makes me thing the people that nicked the emails also resold them to their buddies
Needs to change
I wasn't involved in this breach, but the situation sounds similar to the Epsilon breach last year in the sense that individuals who were unsubscribed, or never subscribed were compromised because the bastards sold/shared their entire customer base with their "partners".
Because I ordered some flowers online in 2004 my email address got leaked.
That has to stop: the aholes can't secure the data so they need to purge it on request: when I say "never ever contact me and just send what I ordered" that means delete me from the marketing databases and don't share me with your partners.
Or, create new unique email addresses for each company you deal with and delete the mailboxes as needed (right after ordering, or after being breached)
Completely agree with imaginarynumber. Taking "... immediate action to close the vulnerability" is a bit of a cheeky lie on the part of Ticketmaster/TicketWeb.
The link in the email goes through to a url on the ticketmaster.com site which then redirected to fake-acrobat-software.com or whatever it was called. All they had to do was take their mailing list system offline and this would mean nobody could be redirected to the phishing website, however several hours after I got the email notifying of the hack the redirection was still working.
Only speculating but I guess the kind of IT team capable of getting hacked in this way are probably not that adept at dealing with the fallout. Makes you wonder about the security of ticketmaster though.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Video of US journalist 'beheading' pulled from social media
- Netflix swallows yet another bitter pill, inks peering deal with TWC
- The Register to boldly go where no Vulture has gone before: The WEEKEND