The rise of the online ticketing bots

A new report describes the depth of criminality across online ticketing websites. I guess I was somewhat naive before I read the report, “How Bots affect ticketing,” from Distil Networks. (Registration is required.) The vendor sells anti-bot security tools, so some of what they describe is self-serving to promote their own solutions. But the picture they present is chilling and somewhat depressing.

The ticketing sites are being hit from all sides: from dishonest ticket brokers and hospitality agents who scrape details and scalp or spin the tickets, to criminals who focus on fan account takeovers to conduct credit card fraud with their ticket purchases. These scams are happening 24/7, because the bots never sleep. And there are multiple sources of ready-made bad bots that can be set loose on any ticketing platform.

You probably know what scalping is, but spinning was new to me. Basically, it involves a mechanism that appears to be an indecisive human who is selecting tickets but holding them in their cart and not paying for them. This puts the tickets in limbo, and takes them off the active marketplace just long enough that the criminals can manipulate their supply and prevent the actual people from buying them. That is what lies at the heart of the criminal ticketing bot problem: the real folks are denied their purchases, and sometimes all seats are snapped up within a few milliseconds of when they are put on sale. In many cases, fans quickly abandon the legit ticketing site and find a secondary market for their seats, which may be where the criminals want them to go. This is because the seat prices are marked up, with more profit going to the criminals. It also messes with the ticketing site’s pricing algorithms, because they don’t have an accurate picture of ticket supply.

This is new report from Distil and focusing just on the ticketing vendors. In the past year, they have seen a rise in the sophistication of the bot owners’ methods. That is because like much with cybercrime, there is an arms race between defenders and the criminals, with each upping their game to get around the other. The report studied 180 different ticketing sites for a period of 105 days last fall, analyzing more than 26 billion requests.

Distil found that the average traffic across all 180 sites was close to 40% consumed by bad bots. That’s the average: many sites had far higher percentages of bad bot traffic. (See the graphic above for more details.)

Botnets aren’t only a problem with ticketing websites, of course. In an article that I wrote recently for CSOonline, I discuss how criminals have manipulated online surveys and polls. (Registration also required.) Botnets are just one of many methods to fudge the results, infect survey participants with malware, and manipulate public opinion.

So what can a ticketing site operator do to fight back? The report has several suggestions, including preventing outdated browser versions, using better Captchas, blocking known hosting providers popular with criminals, and looking carefully at sources of traffic for high bounce rates, a series of failed logins and lower conversion rates, three tells that indicate botnets.

2 thoughts on “The rise of the online ticketing bots

  1. I’ve been very aware of ticket fraud for decades now, ever since I bought a
    pair of what looked like perfectly valid tickets to a Springsteen concert
    at the Oakland Coliseum Arena back in the late 1990’s, only to discover
    that they were counterfeits.

    Luckily for me, Springsteen’s policy is to not penalize fans for the sins
    of counterfeiters, so my wife and I were actually admitted to the concert –
    but not all artists have the power to dictate such fan-friendly policies to
    major venues.

    > So what can a ticketing site operator do to fight back? The report has
    > several suggestions, including preventing outdated browser versions, using
    > better Captchas, blocking known hosting providers popular with criminals,
    > and looking carefully at sources of traffic for high bounce rates, a series
    > of failed logins and lower conversion rates, three tells that indicate
    > botnets.

    I have a serious problem with the “blocking known hosting providers popular
    with criminals” part of the strategies you list from Distill’s report. The
    thing is, that basically translates to “VPN providers” – and it means that
    those of us who routinely use a VPN to keep our ISPs from vacuuming up our
    browsing history get locked out, even though we’re completely legitimate
    ticket buyers who are only interested in getting to see the artists we
    love.

    That problem isn’t confined to ticketing sites, either. Craigslist, for
    instance, notoriously blocks traffic from major VPN servers from being able
    to view contact information from its listings. (We’ve been looking to adopt
    a suitable companion for our elderly mastador, after losing our beloved
    Miss Watson last September.) That policy is not just frustrating to
    potential buyers, either. In fact, many CL users have taken to including
    obfuscated phone numbers in their ads to get around the VPN blocks, a la
    “One23, fortyfive, 6seventy-eight9” (not a real phone number, of course).

    So that particular “solution” amounts to punishing the innocent, along with
    the guilty. And that sucks, especially for those of us who actually care
    about our privacy. It’s hard enough to fight the invasive practices of data
    brokers as it standss. Forcing us to give up one of our best weapons
    against them, because lazy “solutions” vendors recommend their clients use
    a meat axe in place of a scalpel only makes using the web for e-commerce
    harder than it ought to be.

    BTW – it wasn’t one of the Boss’s best shows. He was onstage for less than
    2.5 hours, which is a dead giveaway that he wasn’t feeling it that night.
    (I suspect that was because the Coliseum management had installed a
    cliff-face of glassed-in luxury boxes between the top and bottom tiers of
    seats since his previous appearance at the Arena, which seriously messed
    with the “church of rock’n’roll” atmosphere that’s so integral to his
    shows. In fact, right after his first number, he looked up at the 20-foot
    wall of glass, and remarked, “I thought you were supposed to come *out* of
    your room for a rock show!”)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.