Skip to main content

The Globe and Mail

Bulgarian hackers charged with hacking into concert ticket sites

A few seconds after tickets went on sale for Bruce Springsteen's concert at New Jersey's Giants Stadium in the summer of 2008, half the 440 floor seats were gone - snatched by computers posing as human beings.

For Springsteen fans who were denied the best tickets to see The Boss, that was an unlucky turn of events. On Monday, American authorities called it by another term: fraud.

The U.S. Department of Justice indicted four men and accused them of masterminding a $25-million fraud ring that used computers to buy tickets from some of the biggest online retailers in the world the very instant those tickets went on sale. In the process, the department said, customers were muscled out of face-value tickets, which the four men are alleged to have re-sold at a markup through their own businesses, reaping millions in the process.

Story continues below advertisement

The indictment against the men, who allegedly ran Wiseguy Tickets, Inc., reads like the synopsis of a cybercrime novel.

There were hijacked servers, myriad shell companies and domain names, Bulgarian hackers-for-hire and employees manually creating massive databases to help computers break one of the Web's most commonly-used authentication methods.

According to the FBI, the Wiseguy ring targeted on-line ticket sites. including Ticketmaster, and Major League Baseball, re-selling some 1.5-million tickets to shows ranging from Bon Jovi to Barbara Streisand.

"The public thought it had a fair shot at getting tickets to these events, but what the public didn't know was that the defendants had cheated them out of that opportunity," U.S. attorney Paul Fishman said in a statement.

According to the indictment, the accused men worked with hackers in Bulgaria to build a network of computers to buy tickets in massive numbers.

The primary hindrance to mass purchasing is an authorization mechanism known as CAPTCHA - images of random words, usually presented in an unusual font or with lines running through the letters, that the user must re-type before proceeding. In theory, computers shouldn't be able to get by such schemes, and sites such as Ticketmaster and Facebook use them to prevent computers from logging on over and over.

To beat the system, Wiseguy staff began manually entering huge amounts of previously encountered images into a database, along with the words they represented, according to the indictment. By referencing the database, the computers could sometimes get through in fractions of a second.

Story continues below advertisement

Because users with visual impairments cannot use CAPTCHAs, many sites also include an audio version of the authentication system. The indictment states that staff also built a sort of audio database, linking sounds with the words they represented.

The accused men also allegedly went to great lengths to disguise their intent, buying hundreds of domain names and creating shell companies. Prosecutors say the computers doing the ticket-buying were programmed to sometimes make mistakes when filling out forms, so they appeared to be more human.

The four men face 43 charges ranging from wire fraud to causing damage to computers in interstate commerce. Some of the charges carry sentences of up to 20 years in prison.

Ironically, Ticketmaster - one of the sites targeted by the alleged fraud ring - just last month settled a Federal Trade Commission complaint over deceptive sales practices. According to the FTC, when fans tried to buy tickets to another Bruce Springsteen concert last year, Ticketmaster displayed a "no tickets found" page to steer consumers to a re-selling web site, where tickets sold for triple or quadruple face value.

Report an error Licensing Options
Comments are closed

We have closed comments on this story for legal reasons. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.