Touts Grab Thousands of Concert Tickets via Scalper Bots

Touts Grab Thousands of Concert Tickets via Bots

Touts used ‘scalper bots’ to buy up thousands of tickets for a New York concert, and then sold them at inflated prices.

According to, the concert by country artist Luke Bryan sold out before the public had the chance to purchase, and were resold for ten times the face value.

While the venue, the Carrier Dome, and other venues have taken steps to ensure that bots have as little opportunity as possible to buy up tickets, including putting buyers in a “waiting room” and requiring human identification throughout the buying process, attackers continue to adapt and cause problems for the ticketing industry, said US Senator Charles Schumer.

“Hackers and other bad actors are taking advantage of fans and we need to put a stop to it. These bots have gotten completely out of control and are now threatening the entire live music industry as well as the ability of fans to purchase tickets at a fair price,” Schumer said. “By eliminating bots and slapping hackers with a hefty fine, we can better ensure those who want to attend shows like Luke Bryan in the future will not have to pay outrageous, unfair prices.”

Igal Zeifman, Senior Manager at Imperva for the Incapsula product line, told Infosecurity that scalper bots are one of the toughest to deal with, as the relatively high return on investment on a resold ticket is reason enough for bot operators to invest time in researching and scoping out their targets.

“This results in highly customized bots, specifically built to avoid security measures protecting the target,” he said. “Having said that, dedicated traffic filtering solutions should be able to identify scalper bots based on behavioral patterns and other tell-tale signs, such as origin IP and even minor inconsistencies in their HTTP headers.”

Paul Edon, director at Tripwire, said: “The bot network is likely to have consisted of thousands if not tens of thousands of hijacked machines and could therefore circumvent any limit on the number of tickets purchased in a single session.

“The most simple way to prevent this kind of activity is incorporating a challenge and response test such as ‘CAPTCHA’ into the sales process. CAPTCHA provides a visual test that should be fairly simple for humans to pass but which current computer programs would have great difficulty passing.”

The problem of mass buying of tickets and reselling them at inflated prices is not new, as recent instances involving Adele and Radiohead have proved. However if bots are used to purchase tickets instead of humans, it may be harder to manage. The problem of online scalping has seen ethical ticket trading websites such as Scarlet Mist established.

Richard Marks, founder of Scarlet Mist, told Infosecurity that the technology likely exists to restrict such mass purchasing, but what would be better is if primary legislation could be introduced to curtail reselling for profit.

“One way to prevent it is with strict identity controls, and Glastonbury pioneered that and your ticket has your photo and name on it, and I there is no reason why others cannot do that,” he said. “Another option is to turn up with your credit card for identity.”

Marks acknowledged that the Captcha technology is not popular and is inconvenient, but the problem with touting is that it is easy to do and make money and you can do it from your bedroom, and it is relatively low risk.

“Why the market allows this to happen is because in a normal economic market the price goes up, but tickets for Adele or Radiohead should go on sale for a price people are prepared to pay, so they are put online at a low price,” he said.

Asked why ticket retailers do not offer the service to buy back tickets, Marks said that they are worried about introducing fraud into the system, and if promoters resell a ticket then it represents a lost sale, and they would rather sell a new ticket than resell one already sold before.

Asked if there should be controls for a maximum purchase of tickets, or are bots intelligent enough to buy over and over, Zeifman said: “Restrictions in the purchasing process could help in the short-term, but bot operators tend to adapt quickly, rendering such method useless in the long-run.

“For example, a bot could be configured to sign-up and order tickets using multiple different identities. Bot attacks are highly adaptive and countering them requires the use of an equality adaptive security measures.”

Source: Information Security Magazine