A ring of ticket brokers has been indicted in connection to an elaborate hacking scheme that used bots and other fraudulent means to purchase more than 1 million tickets for concerts, sporting events and other events.
The defendants made more than $25 million in profits from the resale of the tickets between 2002 and 2009.
According to the 43-count federal indictment (.pdf) unsealed Monday in New Jersey, the defendants set up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.
The defendants did business as Wiseguy Tickets and Seats of San Francisco, and used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks.
Wiseguy often obtained so many premium tickets for an event that it was the leading source for the best tickets to some of the most popular events, according to prosecutors. They allegedly purchased tickets to Miley Cyrus, Barbra Streisand, Bon Jovi and Bruce Springsteen concerts, as well as tickets to the Rose Bowl football game in 2006 and the 2007 Major League Baseball playoffs at Yankee Stadium.
In 2007, the owners offered employees a 100 percent salary bonus if the company met a goal of purchasing 1 million tickets of a certain value, the authorities said.
Wiseguy co-owner Kenneth Lowson allegedly boasted to one of his contractors in 2005 that Wiseguy had purchased 882 out of 1,000 Rose Bowl tickets that had gone on sale for the 2006 championship football game. On one June day in 2006, Wiseguy also purchased about 136 tickets for Barbra Streisand's concert tour. And in September 2007, they snagged 229 premium tickets for Bruce Springsteen concerts in New Jersey, and ultimately ended up purchasing more than 11,700 Springsteen tickets that year worth about $1.3 million, the authorities said.
In 2007, they thwarted a ticket lottery set up to purchase tickets to the New York Yankee playoffs. The lottery limited purchases to two tickets per person, but Wiseguy was able to purchase 1,924 tickets worth about $159,000, the authorities said.
Also in 2007, they purchased 11,984 tickets for various Miley Cyrus/Hanna Montana concerts around the country worth about $916,000, the authorities said.
Lowson, 40, and Wiseguy co-owner Kristofer Kirsch, 37, were indicted along with Chief Financial Officer Faisal Nahdi, 36, and programmer Joel Stevenson, 37, on various counts of unauthorized computer access and wire fraud. Stevenson, who earned $150,000 as the outfit's chief computer programmer and system administrator, allegedly created significant parts of the code used to purchase the tickets and also oversaw a team of other programmers based in the United States and Bulgaria. The indictment lists the initials of three contract workers in Bulgaria who each earned between $1,000 and $1,500 a month writing code and managing the network.
Law-abiding online ticket vendors sell tickets on a first-come, first-served basis and have invested millions of dollars in architecture that queues up customers in the order they arrive to a site. This protocol reserves a ticket or block of tickets in the system for a limited time, such as 5 minutes, while the buyer decides whether to complete the purchase.
Premium tickets can sell out within 30 seconds for popular events, making it crucial where a buyer stands in the queue.
To prevent bots from purchasing tickets in bulk, online ticket vendors use CAPTCHA challenges and Proof of Work software that is designed to detect and slow down computers that are attempting to purchase large numbers of tickets. Online vendors also block IP addresses used to make bulk purchases.
According to the indictment, Lowson and Kirsch interviewed former employees of online ticket vendors to determine what measures they took to thwart automated buying and also obtained source code, in some cases through hacking. They then advertised for programmers who could bypass CAPTCHA challenges to get to the purchase page and figure out ways to defeat ticket queues to land coveted spots at the front of the line.
The perpetrators' bots monitored ticket websites and sprang into action the minute tickets went on sale, opening thousands of internet connections simultaneously, defeating both visual CAPTCHAs and audio CAPTCHAs used for visually impaired customers. The bots also filled out purchase pages with customer credit card information and fake e-mail addresses.
Ticketmaster used various means to try to thwart Wiseguy's operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It's a third-party CAPTCHA that feeds a CAPTCHA challenge to a site's visitors. When a customer tries to purchase tickets, Ticketmaster's network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.
But the perpetrators were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA "answers" to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said.
The perpetrators took orders from ticket brokers, who were required to provide credit card numbers and account holder names in advance of a purchase so they could be programmed into the bot. Once the account holders received the tickets, they'd send them to Wiseguy, which would refund their credit card account. Wiseguy also had a bank of about 1,000 phone numbers that the bot submitted as customer contact numbers.
The bot would seize a block of prize seats, from which Wiseguy employees would cull the best for clients, then release unwanted seats back to the system. A legitimate ticket buyer who tried to purchase the same seats during this time might find them unavailable one minute, then available the next minute.
Photo: ladybugbkt/Flickr