Somebody has big money invested in this for years
A theory, with first a backstory about botnets.
In 2006 I designed and delivered as a one man band freelance engineer, an online selling site for a toy company, all built from scratch. I did my best for mitigating any attacks, injections, account security, hashing and seeding password details, even wrote some big fixes for a major bank’s online credit card processing library.
I got a request for a last minute change to add shop details so that someone could find their closest shop, with photo and contact details. A quick change where the shop name was passed in the url, this argument was parsed, checked that it was not attempting to get out of its root directory (in the end, not well enough), then this argument was used to run an include of $shopname.inc, and that would be rendered to the shop details page. This ran without fault for months.
So, one day the site started running slow. Ssh’d into the box, ps aux showed 2 perl scripts running from /tmp, taking up 98% cpu. Killed the processes, archived the files, rebooted as single user and archived the logs , ran several malware checks , ended up reimaging the server and restoring the site from cold backup to be sure.
After 2 days of log analysis, looking how the box was pwned. I ended up finding in the apache logs thousands of scans attempting to exploit known issues in known web apps and web servers. All ended with a server error as I was not running those apps or servers (server says apache, runs on Linux, lets run IIS attacks to get to the servers c drive...) - except one, from memory somthing like scan 2400 out of 6000, a direct access to one specific page on my site, no poking around to see what worked, no plugging random values seeing how the server responded, just one single bang to one direct page, all needed values present plus one ‘unexpected’ informing php to include the remote payload.
So. Rookie mistake, not realising that include() was not just a local include.
What got me was that somebody had checked the site, understood how the system went together , and crafted a tailored specific attack for a specific page on this, low volume totally bespoke closed source website, not used anywhere else on the net.
I never did find any details in the available logs on how somebody poked around and identified the pages to include, so it happened over a month before, then was released and that scan was being used in a script kiddies automated attack package, my bug was being searched on millions of servers around the net.
So, somebody took the time to look up the server, find a vulnerability, even if it was simple you needed to check and test first, design the attack and package that in with a list of others, then run the attacks, running from what I could discover ddos and sending spam.
I was amazed that someone took the time to find a one off vuln in a one off app, on one server so they could pwn it, and was running the same attack on other servers around the world.
Fast forward 8 years, ticket bots are on the rise when I first heard about the problem.
My theory is that some guy who was dedicated enough to do major analysis work to grab a fistful of dollars sending viagra spam on pa couple of thousand pwned servers has levelled up, and putting their ressources into reverse engineering ticket sites, custom matrixes to be able to get in, get around captchas and work on seat allocation.
Sell one inflated ticket and you have made 10 times more than you would ever have done pumping a few million spam emails from your botnet. Sell a thousand tickets and you are laughing. And far more legal than overt hacking. Less pain more gain.
So, how to mitigate ? Ip range restrictions from the major bitbarns à la BBC iPlayer ? It would probably slow the automated scrapes. Better captchas would be good too, but would still be vulnerable to wetware hacking from a Bangladeshi sweatshop, paid a few cents per form filled, add some geo restrictions, order limitations per ip, should go some way to limit the fake purchases. Ticket naming, proof of ID with reimbursement but no exchange/resale would be the cherry topping.
But are the ticket selling sites interested in doing this or are they just doing a ‘don’t care got paid’ customer service model...?