Wiseguys net $25m in ticket scalping racket
Captcha busters lock out Coldplay fans
Federal prosecutors have accused four men of fraudulently obtaining more than 1.5 million concert and sporting-even tickets by hacking the computer systems of multiple vendors.
Over a six-year period, the men employed computer scripts that snapped up tickets to some of the hottest events just a fraction of a second after they went on sale, according to documents filed in US District Court in New Jersey. The scheme, which generated more than $25m in profit, froze out legitimate customers by defeating mechanisms designed to block automated purchases by scalpers.
The 43-count indictment provides a detailed account into the means the men used to fraudulently obtain huge caches of premium tickets to concerts by Bruce Springsteen, Coldplay, and last year's Sugar Bowl American college football contest. By hacking the sites' captchas and automatically submitting website forms, they completed purchases in fractions of seconds, securing them front-row seats that were impossible for most fans to obtain.
The indictment names four principals of Nevada-based Wiseguy Tickets, which from 2002 until early last year generated more than $121 million in revenue buying tickets and then reselling them at massively inflated prices. Their ability to shut out the rest of market was so consummate that one employee allegedly warned his boss the company might suffer a backlash from ticket brokers and fans alike if it raised prices too high.
"So, whenever you think about pricing, please also think that you are a monopoly not just for your brokers, but for their clients as well - those small clients no longer have the opportunity to score on their own on the web and feel vindicated," the employee wrote in a 2007 email. "If you do 1 million in tickets in 2007, this means that 1 million people will be displaced from the seats they deserved and further 1 million will pay far more for the seat they are in than they are supposed to."
To make the hack work, Wiseguys employed OCR, or optical character recognition, technology that automated the process of solving captchas, the challenge and response puzzles designed to ensure a website form is being filled out by a human rather than a script.
At one point, engineers uncovered a weakness in popular Recaptcha service, recently acquired by Google, which allowed them to create an "answer database" after downloading hundreds of thousands of possible challenges.
They also used huge pools of random-looking IP addresses, credit cards and email addresses to give the appearance that individuals from all over the country - rather than centralized servers maintained by Wiseguys - were purchasing tickets.
The company took special measures to defeat artists who offered ticket pre-sales to their most loyal fans. In advance of a 2007 concert by teen pop singer Miley Cyrus, Wiseguy employees registered 200 fraudulent user accounts on www.mileyworld.com using credit cards under the company's control. They went on to buy almost 12,000 tickets worth a face value of about $916,000.
Employees used the captcha bots to gobble up 12,000 tickets for various Bruce Springsteen tickets worth more than $1.2m.
The indictment names Kenneth Lowson, 40, a Wiseguys co-founder who allegedly directed programmers to write the software that purchased the tickets; Kristofer Kirsch, 37, who is accused of overseeing Wiseguys technology; Joel Stevenson, 37, an alleged computer programmer and system administrator; and Faisal Nahdi, 36, who prosecutors said was the company's chief financial officer.
The scheme targeted the world's biggest ticket vendors, including Ticketmaster. Tickets.com, Musictoday, LiveNation and Major League Baseball. All four reside in California.
Lowson, Kirsch and Stevenson surrendered on Monday morning at FBI headquarters in New Jersey. Nahdi was not currently in the country and is expected to surrender to authorities in the coming weeks, prosecutors said. The indictment was returned last week and unsealed Monday morning.
The indictment charges each with one count of conspiracy to commit wire fraud and to gain unauthorized access and exceed authorized access to computer systems. It also charges them 42 additional counts of wire fraud.
At a court hearing on Monday, a judge ordered that Lowson be detained, while Kirsch and Stevenson were freed on bail. They are scheduled to be arraigned on Tuesday, assistant US attorney Erez Liebermann said. ®
Sponsored: 2016 Cyberthreat defense report