Feeds

Wiseguys net $25m in ticket scalping racket

Captcha busters lock out Coldplay fans

Top 5 reasons to deploy VMware with Tegile

Federal prosecutors have accused four men of fraudulently obtaining more than 1.5 million concert and sporting-even tickets by hacking the computer systems of multiple vendors.

Over a six-year period, the men employed computer scripts that snapped up tickets to some of the hottest events just a fraction of a second after they went on sale, according to documents filed in US District Court in New Jersey. The scheme, which generated more than $25m in profit, froze out legitimate customers by defeating mechanisms designed to block automated purchases by scalpers.

The 43-count indictment provides a detailed account into the means the men used to fraudulently obtain huge caches of premium tickets to concerts by Bruce Springsteen, Coldplay, and last year's Sugar Bowl American college football contest. By hacking the sites' captchas and automatically submitting website forms, they completed purchases in fractions of seconds, securing them front-row seats that were impossible for most fans to obtain.

The indictment names four principals of Nevada-based Wiseguy Tickets, which from 2002 until early last year generated more than $121 million in revenue buying tickets and then reselling them at massively inflated prices. Their ability to shut out the rest of market was so consummate that one employee allegedly warned his boss the company might suffer a backlash from ticket brokers and fans alike if it raised prices too high.

"So, whenever you think about pricing, please also think that you are a monopoly not just for your brokers, but for their clients as well - those small clients no longer have the opportunity to score on their own on the web and feel vindicated," the employee wrote in a 2007 email. "If you do 1 million in tickets in 2007, this means that 1 million people will be displaced from the seats they deserved and further 1 million will pay far more for the seat they are in than they are supposed to."

To make the hack work, Wiseguys employed OCR, or optical character recognition, technology that automated the process of solving captchas, the challenge and response puzzles designed to ensure a website form is being filled out by a human rather than a script.

At one point, engineers uncovered a weakness in popular Recaptcha service, recently acquired by Google, which allowed them to create an "answer database" after downloading hundreds of thousands of possible challenges.

They also used huge pools of random-looking IP addresses, credit cards and email addresses to give the appearance that individuals from all over the country - rather than centralized servers maintained by Wiseguys - were purchasing tickets.

The company took special measures to defeat artists who offered ticket pre-sales to their most loyal fans. In advance of a 2007 concert by teen pop singer Miley Cyrus, Wiseguy employees registered 200 fraudulent user accounts on www.mileyworld.com using credit cards under the company's control. They went on to buy almost 12,000 tickets worth a face value of about $916,000.

Employees used the captcha bots to gobble up 12,000 tickets for various Bruce Springsteen tickets worth more than $1.2m.

The indictment names Kenneth Lowson, 40, a Wiseguys co-founder who allegedly directed programmers to write the software that purchased the tickets; Kristofer Kirsch, 37, who is accused of overseeing Wiseguys technology; Joel Stevenson, 37, an alleged computer programmer and system administrator; and Faisal Nahdi, 36, who prosecutors said was the company's chief financial officer.

The scheme targeted the world's biggest ticket vendors, including Ticketmaster. Tickets.com, Musictoday, LiveNation and Major League Baseball. All four reside in California.

Lowson, Kirsch and Stevenson surrendered on Monday morning at FBI headquarters in New Jersey. Nahdi was not currently in the country and is expected to surrender to authorities in the coming weeks, prosecutors said. The indictment was returned last week and unsealed Monday morning.

The indictment charges each with one count of conspiracy to commit wire fraud and to gain unauthorized access and exceed authorized access to computer systems. It also charges them 42 additional counts of wire fraud.

At a court hearing on Monday, a judge ordered that Lowson be detained, while Kirsch and Stevenson were freed on bail. They are scheduled to be arraigned on Tuesday, assistant US attorney Erez Liebermann said. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.