Feeds

Wiseguys net $25m in ticket scalping racket

Captcha busters lock out Coldplay fans

Securing Web Applications Made Simple and Scalable

Federal prosecutors have accused four men of fraudulently obtaining more than 1.5 million concert and sporting-even tickets by hacking the computer systems of multiple vendors.

Over a six-year period, the men employed computer scripts that snapped up tickets to some of the hottest events just a fraction of a second after they went on sale, according to documents filed in US District Court in New Jersey. The scheme, which generated more than $25m in profit, froze out legitimate customers by defeating mechanisms designed to block automated purchases by scalpers.

The 43-count indictment provides a detailed account into the means the men used to fraudulently obtain huge caches of premium tickets to concerts by Bruce Springsteen, Coldplay, and last year's Sugar Bowl American college football contest. By hacking the sites' captchas and automatically submitting website forms, they completed purchases in fractions of seconds, securing them front-row seats that were impossible for most fans to obtain.

The indictment names four principals of Nevada-based Wiseguy Tickets, which from 2002 until early last year generated more than $121 million in revenue buying tickets and then reselling them at massively inflated prices. Their ability to shut out the rest of market was so consummate that one employee allegedly warned his boss the company might suffer a backlash from ticket brokers and fans alike if it raised prices too high.

"So, whenever you think about pricing, please also think that you are a monopoly not just for your brokers, but for their clients as well - those small clients no longer have the opportunity to score on their own on the web and feel vindicated," the employee wrote in a 2007 email. "If you do 1 million in tickets in 2007, this means that 1 million people will be displaced from the seats they deserved and further 1 million will pay far more for the seat they are in than they are supposed to."

To make the hack work, Wiseguys employed OCR, or optical character recognition, technology that automated the process of solving captchas, the challenge and response puzzles designed to ensure a website form is being filled out by a human rather than a script.

At one point, engineers uncovered a weakness in popular Recaptcha service, recently acquired by Google, which allowed them to create an "answer database" after downloading hundreds of thousands of possible challenges.

They also used huge pools of random-looking IP addresses, credit cards and email addresses to give the appearance that individuals from all over the country - rather than centralized servers maintained by Wiseguys - were purchasing tickets.

The company took special measures to defeat artists who offered ticket pre-sales to their most loyal fans. In advance of a 2007 concert by teen pop singer Miley Cyrus, Wiseguy employees registered 200 fraudulent user accounts on www.mileyworld.com using credit cards under the company's control. They went on to buy almost 12,000 tickets worth a face value of about $916,000.

Employees used the captcha bots to gobble up 12,000 tickets for various Bruce Springsteen tickets worth more than $1.2m.

The indictment names Kenneth Lowson, 40, a Wiseguys co-founder who allegedly directed programmers to write the software that purchased the tickets; Kristofer Kirsch, 37, who is accused of overseeing Wiseguys technology; Joel Stevenson, 37, an alleged computer programmer and system administrator; and Faisal Nahdi, 36, who prosecutors said was the company's chief financial officer.

The scheme targeted the world's biggest ticket vendors, including Ticketmaster. Tickets.com, Musictoday, LiveNation and Major League Baseball. All four reside in California.

Lowson, Kirsch and Stevenson surrendered on Monday morning at FBI headquarters in New Jersey. Nahdi was not currently in the country and is expected to surrender to authorities in the coming weeks, prosecutors said. The indictment was returned last week and unsealed Monday morning.

The indictment charges each with one count of conspiracy to commit wire fraud and to gain unauthorized access and exceed authorized access to computer systems. It also charges them 42 additional counts of wire fraud.

At a court hearing on Monday, a judge ordered that Lowson be detained, while Kirsch and Stevenson were freed on bail. They are scheduled to be arraigned on Tuesday, assistant US attorney Erez Liebermann said. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.