Feeds

Olympic ticket scammers still going for gold

Who can you trust?

High performance access to file storage

In the age of the P-p-p-p-powerbook and the ubiquitous 419 scammer, it comes as no surprise that many people have fallen for a Beijing Olympics ticketing scam that seems to have hit people all across the world. Due to the rarity of tickets for the games, and the particular setup of the scam site (and others), there was a lot of money lost by many people as they struggled to get their hands on tickets that didn't exist. It is ticket scalping for the 21st century, made even more lucrative by there being no need to actually provide any tickets to the victims.

When MSNBC ran a Forbes Traveler article, initially published late February, it carried links to at least one fake ticketing site. These sites have since disappeared from the actual page, pulled sometime between the end of July and now, but it led to implied legitimacy for the site and helped it gain a search engine position and helped lead many down the path of losing large amounts of money.

By silently fixing the article, MSNBC have contributed to the confusion as to how people were led into believing the site was legitimate. If you or your site find yourself in the position of having to amend something that you have already published online, you need to make sure that visitors can tell that you have amended the original page and at least identify what has changed. MSNBC's silent fix, without any acknowledgement that the original links might not have been appropriate, is the worst possible way to deal with things, it is even worse than leaving the information as it was - at least then people could identify where the implied legitimacy had originated from.

Just to make it clear, this is NOT THE REAL BEIJING GAMES TICKET SITE, this one is. Does it mean that the Chinese Olympic organisers have failed to secure all probable online domains before selling tickets? It is impossible to completely close off the multitude of possible domains that might be set up to try and sell tickets, so the organisers aren't really at fault for that. Could they have made more effort to secure likely domains? Probably. Then again, hindsight is always perfect.

Key to the whole incident is how trust is allocated and determined when interacting with new sites on the Internet. It actually highlights one of the biggest problems with establishing viable online trust. If a site, such as MSNBC, that you would normally otherwise trust, provides a link to a malicious site and claims it is legitimate, how would you be able to tell if the link is malicious if you had never been there before? Under almost any trust model that exists, the site would have gained trustworthy status earlier this year, when MSNBC first linked to it.

Where the trust breakdown took place was when people failed to receive their tickets and it was realised that the site was claiming ticket availability for events that had long been completely sold out. Some of the more advanced trust models that are in development (such as the one developed by Sûnnet Beskerming) would have given the site a dubious weighting, but would have struggled to offset the implied trust delivered by other sites against the Official Beijing site, which should have been the only one to offer tickets for sale.

All you need to trick people into giving you their money, it seems, is to have a flashy website and promise delivery in the future for some desirable item. If you want to find out more about the risks and what sites are scamming people, one of the best resources for those who are trying to hunt down the people behind the various scams is over at beijingticketscam.com.

This article originally appeared at Sûnnet Beskerming.

© 2008 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.