Email, purporting to be from ticket buying and selling marketplace StubHub, supposedly provides order details for the purchase of tickets to a boxing match in Las Vegas.
The email is not from StubHub. The message is a phishing scam designed to trick recipients into divulging their credit card details to cybercriminals.
Subject: Order Placed – Ticket Order #47223311 Thanks for your order! We’ve instructed the seller to confirm your order within the next 48 hours. After the seller confirms your order, you can expect your tickets to be delivered by the date below. Expected delivery date: Monday, 10/31/2011 (based on seller estimate)
Note: Your card has been authorized for the amount of your order but has NOT YET BEEN CHARGED. You will be charged when the seller confirms your order. Please review the information below. Thanks for shopping at StubHub!
Login to StubHub! to view your order confirmation.
Order #: 47223311 | Order date: 10/27/2011
Manny Pacquiao vs Juan Manuel Marquez Boxing Tickets at MGM Grand Garden Arena, Las Vegas, NV
Saturday, 11/12/2011 03:00 p.m. (PST) (Event time subject to change – Check local listings)
Quantity: 2 tickets
Section: Lower 17
Row: S | Seats: 16, 17
This shipment will be sent to:
5953 S Denker Ave
Los Angeles, CA 90047
Shipping method: FedEx Standard Overnight
We don’t have a FedEx tracking number for you yet. We’ll send it with your order confirmation email.
Price per ticket: $1250.00
Quantity: x 2
Service fee: + $250.00
Delivery services: + $16.95
Order total: $2766.95
The credit or debit card has been authorized but has not yet been charged. Your card will be charged within the next 48 hours.
Thanks for using StubHub!
If you have any questions, comments, or concerns, please contact us.
StubHub Customer Service
Weekdays: 5:00 a.m. – 8:00 p.m. (Pacific time)
Weekends: 6:00 a.m. – 7:00 p.m. (Pacific time)
StubHub! Where fans buy and sell ticketsTM
StubHub Email ID: TEB_ORDER_PLACED_FDXTIH
As phishing scams go, this one is somewhat more sophisticated than most. The scam message, which purports to be from online ticket marketplace StubHub, disguises itself as an order for tickets to a boxing match to be held in Las Vegas.
According to the email, the total cost of the tickets comes to a hefty $2766.95, although it assures the recipient that his or her credit card has been authorized for that amount but not yet charged.
And therein hides the hook in this particular phishing expedition. Some recipients, panicked by the mistaken notion that their credit card details have been stolen and used to purchase the tickets, will follow the link to view their order confirmation as instructed in the scam message. Once on the bogus website that the link opens, victims will be told that they can review and cancel the supposed transaction – but only by submitting credit card details and other personal information to verify their right to do so. Of course, any information submitted on the bogus website can then be harvested by scammers and used for credit card fraud and identity theft.
StubHub issued the following warning to customers via its website and Facebook Page:
We are aware that some people have received an email regarding order number 47223311, which they did not place. The email is a phishing email, and was NOT sent by StubHub or any affiliate. Your credit cards have not been charged. Please DO NOT click on any link in the email. If you have logged in to your account via one of the links in the email, you should log into your StubHub account immediately (https://www.stubhub.com/account/) to change your StubHub password.
If you have not clicked on any of the links contained in the email, you can safely delete it.
It appears that the scam website has now been shut down, but other incarnations of the scam may follow.
Phishing scammers and malware distributors have often used fake order notifications as a means of enticing potential victims to follow links or open attachments.
Be wary of any unsolicited email that claims that you have made purchases or transactions that you know nothing about. If you receive such an email, do not follow any links or open any attachments that it may contain. If you are concerned about possible unauthorized transactions, check directly with the company or financial institution involved.