Wiseguy Scalpers Bought Tickets With CAPTCHA-busting Botnet

Three California men have pleaded guilty charges they built a network of CAPTCHA-solving computers that flooded online ticket vendors and snatched up the very best seats for Bruce Springsteen concerts, Broadway productions and even TV tapings of Dancing with the Stars.

The men ran a company called Wiseguy Tickets, and for years they had an inside track on some of the best seats in the house at many events. They scored about 1.5 million tickets after hiring Bulgarian programmers to build "a nationwide network of computers that impersonated individual visitors" on websites such as Ticketmaster, MLB.com and LiveNation, the U.S. Department of Justice (DoJ) said Thursday in a press release.

Kenneth Lowson, Kristofer Kirsch, and Joel Stevenson pleaded guilty to hacking and wire fraud charges Thursday in U.S. District Court for the District of New Jersey. Lowell and Kirsch face a maximum of five years in prison. Stevenson, who pleaded guilty to just one count of hacking, faces a year. They had been indicted in February and are now set to be sentenced on March 15, 2011.

A fourth Wiseguy Tickets partner, Chief Financial Officer Faisal Nadhi, is still at large, the DoJ said.

Their scheme was remarkably successful. When Bruce Springsteen and the E Street Band played Giants Stadium in July 2008, nearly half of the 440 general admission floor tickets were snatched up by the Wiseguy Tickets network.

The network would "flood vendors computers at the exact moment that event tickets went on sale," the DoJ said. With computerized CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)-solving, the bots were able to complete transactions faster than any human, giving them an edge in snatching up tickets for the Major League Baseball playoffs, the Rose Bowl and many concerts.

They had to create shell corporations, register hundreds of fake Internet domains (one was stupidcellphone.com) and sign up for thousands of bogus e-mail addresses to make the scam work.

Wiseguy Tickets then resold the tickets to brokers, at a profit.

"These defendants made money by combining age-old fraud with new-age computer hacking," the DoJ said in its press release.

The company operated between 2002 and 2009, under names such as Wiseguys, Seats of San Francisco, Smaug, and Platinum Technologies.

The Bulgarian contractors used by Wiseguy Tickets were paid between $1,000 to $1,500 a month, the DoJ said in court filings.

The CAPTCHA test was designed to prevent this type of fraud from happening. It displays the distorted image of a word, designed to be unreadable by a computer, and asks the customer to prove that he is a human by reading it and typing in the correct work. But different CAPTCHA systems have been broken in the past by spammers and other Internet scammers.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Subscribe to the Security Watch Newsletter

Comments