Feeds

Wiseguys net $25m in ticket scalping racket

Captcha busters lock out Coldplay fans

Next gen security for virtualised datacentres

Federal prosecutors have accused four men of fraudulently obtaining more than 1.5 million concert and sporting-even tickets by hacking the computer systems of multiple vendors.

Over a six-year period, the men employed computer scripts that snapped up tickets to some of the hottest events just a fraction of a second after they went on sale, according to documents filed in US District Court in New Jersey. The scheme, which generated more than $25m in profit, froze out legitimate customers by defeating mechanisms designed to block automated purchases by scalpers.

The 43-count indictment provides a detailed account into the means the men used to fraudulently obtain huge caches of premium tickets to concerts by Bruce Springsteen, Coldplay, and last year's Sugar Bowl American college football contest. By hacking the sites' captchas and automatically submitting website forms, they completed purchases in fractions of seconds, securing them front-row seats that were impossible for most fans to obtain.

The indictment names four principals of Nevada-based Wiseguy Tickets, which from 2002 until early last year generated more than $121 million in revenue buying tickets and then reselling them at massively inflated prices. Their ability to shut out the rest of market was so consummate that one employee allegedly warned his boss the company might suffer a backlash from ticket brokers and fans alike if it raised prices too high.

"So, whenever you think about pricing, please also think that you are a monopoly not just for your brokers, but for their clients as well - those small clients no longer have the opportunity to score on their own on the web and feel vindicated," the employee wrote in a 2007 email. "If you do 1 million in tickets in 2007, this means that 1 million people will be displaced from the seats they deserved and further 1 million will pay far more for the seat they are in than they are supposed to."

To make the hack work, Wiseguys employed OCR, or optical character recognition, technology that automated the process of solving captchas, the challenge and response puzzles designed to ensure a website form is being filled out by a human rather than a script.

At one point, engineers uncovered a weakness in popular Recaptcha service, recently acquired by Google, which allowed them to create an "answer database" after downloading hundreds of thousands of possible challenges.

They also used huge pools of random-looking IP addresses, credit cards and email addresses to give the appearance that individuals from all over the country - rather than centralized servers maintained by Wiseguys - were purchasing tickets.

The company took special measures to defeat artists who offered ticket pre-sales to their most loyal fans. In advance of a 2007 concert by teen pop singer Miley Cyrus, Wiseguy employees registered 200 fraudulent user accounts on www.mileyworld.com using credit cards under the company's control. They went on to buy almost 12,000 tickets worth a face value of about $916,000.

Employees used the captcha bots to gobble up 12,000 tickets for various Bruce Springsteen tickets worth more than $1.2m.

The indictment names Kenneth Lowson, 40, a Wiseguys co-founder who allegedly directed programmers to write the software that purchased the tickets; Kristofer Kirsch, 37, who is accused of overseeing Wiseguys technology; Joel Stevenson, 37, an alleged computer programmer and system administrator; and Faisal Nahdi, 36, who prosecutors said was the company's chief financial officer.

The scheme targeted the world's biggest ticket vendors, including Ticketmaster. Tickets.com, Musictoday, LiveNation and Major League Baseball. All four reside in California.

Lowson, Kirsch and Stevenson surrendered on Monday morning at FBI headquarters in New Jersey. Nahdi was not currently in the country and is expected to surrender to authorities in the coming weeks, prosecutors said. The indictment was returned last week and unsealed Monday morning.

The indictment charges each with one count of conspiracy to commit wire fraud and to gain unauthorized access and exceed authorized access to computer systems. It also charges them 42 additional counts of wire fraud.

At a court hearing on Monday, a judge ordered that Lowson be detained, while Kirsch and Stevenson were freed on bail. They are scheduled to be arraigned on Tuesday, assistant US attorney Erez Liebermann said. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.