Ticket scalping is a rather unique type of cybersecurity attacks where the attackers use bots to buy and hoard tickets to events (sports events, music shows, etc.) and then reselling them at a higher price–a thing we know as ‘scalping.’
This attack can be very dangerous for websites selling event tickets, as well as the performers. Ticket prices can inflate more than 1,000% of the initial value, which can be very harmful to fans and people who want to watch the show.
The thing is, preventing ticket scalping can be extremely difficult, and some performers have even taken ticketing totally offline as an extreme measure to prevent ticket scalping attacks. Yet, it doesn’t mean that we can’t stop ticket scalping: with the right technology and diligence in maintaining security best practices, it can be stopped.
Below, we will learn how.
Ticket Scalping Attack: All You Need To Know
The concept of ticket scalping attack isn’t something new, and has been around even before the age of the internet, as early as the 1800s: someone buys and/or hoard tickets to a performance or sports event so that ticket availability becomes more scarce, and then reselling them at an inflated price.
At the moment, the regulatory control for scalping is still fairly limited: it’s not illegal to resell something at a higher price. So, scalping belongs somewhat in a grey area.
However, what we’ll specifically discuss here is the automated scalper attacks using scalper bots. The same bot can be used in a denial of inventory attack to purchase physical products in bulk for resale. The bot can monitor many different websites (often hundreds or thousands of different sites) simultaneously and buy tickets as soon as they are available.
Automated scalping attacks typically involve three different stages:
- Drop checking: in this stage, the scalper bot monitors target websites and may also create new accounts as required. Sophisticated bots can also constantly probe social media feeds to look for more information. Also known as the ‘spinning’ stage.
- Adding to cart: pretty self-explanatory, the scalper bot automatically adds the ticket to the shopping cart. The scalper bot may also use proxies to rotate between different IP addresses and other technologies so it can make multiple purchases without being detected and bypass challenges like CAPTCHAs. Advanced attackers can use CDNs or even placing the actual server nearer to the target website’s server to minimize latency, ensuring the scalper bot is the first to add the ticket to the cart.
- Checkout: the scalper bot finalizes the purchase automatically, often using a rotating list of credit cards with different billing profiles. The more advanced the attacker is, the more complex the ‘masking’ process will be, including using different names and address formats, randomized billing profiles, etc.
To perform this attack smoothly, the attacker may also use various other technologies to:
- Rotate between fake IPs: less sophisticated attackers may use server-based IP spoofing like VPNs or TOR server connections. However, advanced attackers may use genuine residential IP addresses from official proxy services and even real computers infected by malware (botnet). There are also dedicated services that sell bulletproof residential networks.
- Spoofing device identities: it would be inefficient for the attacker to use a single computer with a single device identity for the attack, so the attacker will typically use emulator software that can emulate multiple devices with their own OSs and browsers. Sophisticated software can allow each entity to appear like a totally different device ID to avoid detection.
- Mimicking human-like behavior: like performing specific non-linear cursor movements, visiting different pages before taking action, etc.
Preventing Ticket Scalping Attacks: Invest In a Proper Bot Management Solution
Automated ticket scalping attacks rely on using bots to perform the attack in the stages we’ve discussed above. So, we can effectively prevent the attack by detecting and blocking these malicious bot activities.
However, doing so can be easier said than done due to two challenges:
- There are good bots that are beneficial for the eCommerce sites, and we wouldn’t want to accidentally block, for example, Google’s crawler bot that is responsible for indexing and ranking our site.
- Bots are getting more sophisticated at masking their identities and impersonating human behaviors while also using various technologies to rotate between different IP addresses. Thus, if we are not careful we can accidentally block legitimate human users instead.
Detecting scalper bots to prevent scalping attacks can be extremely challenging, and today’s sophisticated scalpers are extremely skilled and can quickly adopt new technologies including the latest developments of machine learning technologies to bypass your security measures.
Shopping bots can come from a lot of different IP addresses simultaneously, often including valid residential and IoT device addresses. So, traditional rule-based security measures like Wireless Application Firewalls (WAFs) are no longer effective.
Challenge-based measures like CAPTCHA may be sufficient to stop the less sophisticated scalping bots, but cybercriminals can now make use of the wide range of CAPTCHA farm services available online to bypass CAPTCHA.
To tackle these challenges, a proper anti bot protection software like DataDome is required. It offers advanced behavioral-based detection in real-time, as well as managing the bot activities accordingly in autopilot.
Preventing automated scalping attacks rely on how we can detect and mitigate the scalper bots used to perform the attack, but this can be easier said than done. With how bots are getting more sophisticated in avoiding detection and masking their identity, a specialized bot protection solut on with real-time decision-making capabilities is extremely important in stopping ticket scalping attacks effectively.