Original URL: http://www.theregister.co.uk/2008/08/04/olympic_ticket_scam/

Olympic ticket scammers still going for gold

Who can you trust?

By Sûnnet Beskerming

Posted in Security, 4th August 2008 16:10 GMT

In the age of the P-p-p-p-powerbook and the ubiquitous 419 scammer, it comes as no surprise that many people have fallen for a Beijing Olympics ticketing scam that seems to have hit people all across the world. Due to the rarity of tickets for the games, and the particular setup of the scam site (and others), there was a lot of money lost by many people as they struggled to get their hands on tickets that didn't exist. It is ticket scalping for the 21st century, made even more lucrative by there being no need to actually provide any tickets to the victims.

When MSNBC ran a Forbes Traveler article, initially published late February, it carried links to at least one fake ticketing site. These sites have since disappeared from the actual page, pulled sometime between the end of July and now, but it led to implied legitimacy for the site and helped it gain a search engine position and helped lead many down the path of losing large amounts of money.

By silently fixing the article, MSNBC have contributed to the confusion as to how people were led into believing the site was legitimate. If you or your site find yourself in the position of having to amend something that you have already published online, you need to make sure that visitors can tell that you have amended the original page and at least identify what has changed. MSNBC's silent fix, without any acknowledgement that the original links might not have been appropriate, is the worst possible way to deal with things, it is even worse than leaving the information as it was - at least then people could identify where the implied legitimacy had originated from.

Just to make it clear, this is NOT THE REAL BEIJING GAMES TICKET SITE, this one is. Does it mean that the Chinese Olympic organisers have failed to secure all probable online domains before selling tickets? It is impossible to completely close off the multitude of possible domains that might be set up to try and sell tickets, so the organisers aren't really at fault for that. Could they have made more effort to secure likely domains? Probably. Then again, hindsight is always perfect.

Key to the whole incident is how trust is allocated and determined when interacting with new sites on the Internet. It actually highlights one of the biggest problems with establishing viable online trust. If a site, such as MSNBC, that you would normally otherwise trust, provides a link to a malicious site and claims it is legitimate, how would you be able to tell if the link is malicious if you had never been there before? Under almost any trust model that exists, the site would have gained trustworthy status earlier this year, when MSNBC first linked to it.

Where the trust breakdown took place was when people failed to receive their tickets and it was realised that the site was claiming ticket availability for events that had long been completely sold out. Some of the more advanced trust models that are in development (such as the one developed by Sûnnet Beskerming) would have given the site a dubious weighting, but would have struggled to offset the implied trust delivered by other sites against the Official Beijing site, which should have been the only one to offer tickets for sale.

All you need to trick people into giving you their money, it seems, is to have a flashy website and promise delivery in the future for some desirable item. If you want to find out more about the risks and what sites are scamming people, one of the best resources for those who are trying to hunt down the people behind the various scams is over at beijingticketscam.com.

This article originally appeared at Sûnnet Beskerming.

© 2008 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.