Feeds

Wiseguys net $25m in ticket scalping racket

Captcha busters lock out Coldplay fans

Beginner's guide to SSL certificates

Federal prosecutors have accused four men of fraudulently obtaining more than 1.5 million concert and sporting-even tickets by hacking the computer systems of multiple vendors.

Over a six-year period, the men employed computer scripts that snapped up tickets to some of the hottest events just a fraction of a second after they went on sale, according to documents filed in US District Court in New Jersey. The scheme, which generated more than $25m in profit, froze out legitimate customers by defeating mechanisms designed to block automated purchases by scalpers.

The 43-count indictment provides a detailed account into the means the men used to fraudulently obtain huge caches of premium tickets to concerts by Bruce Springsteen, Coldplay, and last year's Sugar Bowl American college football contest. By hacking the sites' captchas and automatically submitting website forms, they completed purchases in fractions of seconds, securing them front-row seats that were impossible for most fans to obtain.

The indictment names four principals of Nevada-based Wiseguy Tickets, which from 2002 until early last year generated more than $121 million in revenue buying tickets and then reselling them at massively inflated prices. Their ability to shut out the rest of market was so consummate that one employee allegedly warned his boss the company might suffer a backlash from ticket brokers and fans alike if it raised prices too high.

"So, whenever you think about pricing, please also think that you are a monopoly not just for your brokers, but for their clients as well - those small clients no longer have the opportunity to score on their own on the web and feel vindicated," the employee wrote in a 2007 email. "If you do 1 million in tickets in 2007, this means that 1 million people will be displaced from the seats they deserved and further 1 million will pay far more for the seat they are in than they are supposed to."

To make the hack work, Wiseguys employed OCR, or optical character recognition, technology that automated the process of solving captchas, the challenge and response puzzles designed to ensure a website form is being filled out by a human rather than a script.

At one point, engineers uncovered a weakness in popular Recaptcha service, recently acquired by Google, which allowed them to create an "answer database" after downloading hundreds of thousands of possible challenges.

They also used huge pools of random-looking IP addresses, credit cards and email addresses to give the appearance that individuals from all over the country - rather than centralized servers maintained by Wiseguys - were purchasing tickets.

The company took special measures to defeat artists who offered ticket pre-sales to their most loyal fans. In advance of a 2007 concert by teen pop singer Miley Cyrus, Wiseguy employees registered 200 fraudulent user accounts on www.mileyworld.com using credit cards under the company's control. They went on to buy almost 12,000 tickets worth a face value of about $916,000.

Employees used the captcha bots to gobble up 12,000 tickets for various Bruce Springsteen tickets worth more than $1.2m.

The indictment names Kenneth Lowson, 40, a Wiseguys co-founder who allegedly directed programmers to write the software that purchased the tickets; Kristofer Kirsch, 37, who is accused of overseeing Wiseguys technology; Joel Stevenson, 37, an alleged computer programmer and system administrator; and Faisal Nahdi, 36, who prosecutors said was the company's chief financial officer.

The scheme targeted the world's biggest ticket vendors, including Ticketmaster. Tickets.com, Musictoday, LiveNation and Major League Baseball. All four reside in California.

Lowson, Kirsch and Stevenson surrendered on Monday morning at FBI headquarters in New Jersey. Nahdi was not currently in the country and is expected to surrender to authorities in the coming weeks, prosecutors said. The indictment was returned last week and unsealed Monday morning.

The indictment charges each with one count of conspiracy to commit wire fraud and to gain unauthorized access and exceed authorized access to computer systems. It also charges them 42 additional counts of wire fraud.

At a court hearing on Monday, a judge ordered that Lowson be detained, while Kirsch and Stevenson were freed on bail. They are scheduled to be arraigned on Tuesday, assistant US attorney Erez Liebermann said. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.