We frequently read stories about spammers who can circumvent CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication. Using bot-infected machines, they can create a vast number of random e-mail accounts for spamming purposes.
This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices.
According to the indictment, the distributed software was developed by some programmer accomplices in Bulgaria. The application defeated security measures designed to limit individual ticket purchases and snatched up the best ones. Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million.
The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:
- Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
- Opened thousands of connections at the instant that tickets went on sale
- Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
- Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
- Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses
The indictment explains how the Wiseguys took advantage of many popular events such as the BCS college football championship game, the Barbara Streisand concert in Chicago, Hannah Montana concerts in New Jersey, and the 2008 Bruce Springsteen Tour. For this last event, the botnet was able to purchase approximately 11,800 tickets.
One of their last crimes occurred in January 2009, according to the indictment, when the botnet impersonated 1,000 individual ticket buyers for the New York Giants vs. Philadelphia Eagles NFL playoff game at Giants Stadium in East Rutherford, New Jersey.
This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies.
Check out this video for CNN’s coverage.