Feeds

Olympic ticket scammers still going for gold

Who can you trust?

Providing a secure and efficient Helpdesk

In the age of the P-p-p-p-powerbook and the ubiquitous 419 scammer, it comes as no surprise that many people have fallen for a Beijing Olympics ticketing scam that seems to have hit people all across the world. Due to the rarity of tickets for the games, and the particular setup of the scam site (and others), there was a lot of money lost by many people as they struggled to get their hands on tickets that didn't exist. It is ticket scalping for the 21st century, made even more lucrative by there being no need to actually provide any tickets to the victims.

When MSNBC ran a Forbes Traveler article, initially published late February, it carried links to at least one fake ticketing site. These sites have since disappeared from the actual page, pulled sometime between the end of July and now, but it led to implied legitimacy for the site and helped it gain a search engine position and helped lead many down the path of losing large amounts of money.

By silently fixing the article, MSNBC have contributed to the confusion as to how people were led into believing the site was legitimate. If you or your site find yourself in the position of having to amend something that you have already published online, you need to make sure that visitors can tell that you have amended the original page and at least identify what has changed. MSNBC's silent fix, without any acknowledgement that the original links might not have been appropriate, is the worst possible way to deal with things, it is even worse than leaving the information as it was - at least then people could identify where the implied legitimacy had originated from.

Just to make it clear, this is NOT THE REAL BEIJING GAMES TICKET SITE, this one is. Does it mean that the Chinese Olympic organisers have failed to secure all probable online domains before selling tickets? It is impossible to completely close off the multitude of possible domains that might be set up to try and sell tickets, so the organisers aren't really at fault for that. Could they have made more effort to secure likely domains? Probably. Then again, hindsight is always perfect.

Key to the whole incident is how trust is allocated and determined when interacting with new sites on the Internet. It actually highlights one of the biggest problems with establishing viable online trust. If a site, such as MSNBC, that you would normally otherwise trust, provides a link to a malicious site and claims it is legitimate, how would you be able to tell if the link is malicious if you had never been there before? Under almost any trust model that exists, the site would have gained trustworthy status earlier this year, when MSNBC first linked to it.

Where the trust breakdown took place was when people failed to receive their tickets and it was realised that the site was claiming ticket availability for events that had long been completely sold out. Some of the more advanced trust models that are in development (such as the one developed by Sûnnet Beskerming) would have given the site a dubious weighting, but would have struggled to offset the implied trust delivered by other sites against the Official Beijing site, which should have been the only one to offer tickets for sale.

All you need to trick people into giving you their money, it seems, is to have a flashy website and promise delivery in the future for some desirable item. If you want to find out more about the risks and what sites are scamming people, one of the best resources for those who are trying to hunt down the people behind the various scams is over at beijingticketscam.com.

This article originally appeared at Sûnnet Beskerming.

© 2008 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.