Wiseguys accused of defrauding online ticket systems: hacking the CAPTCHA mechanism

I am currently pursuing my "Master Thesis" and thought that this piece of work, also a part of my thesis (Working Title: Web Application Attacks: Modeling), was worth sharing.

Background
Recently, Wiseguys were accused of hacking into the ticket vendors' websites committing a fraud of more than $25 million. According to the 43-page Indictment, released early March, the Wiseguys were operating under the names Wiseguys Ticket, Seats of San Francisco, Smaug and Platinum Technologies, among others, to buy more than 1 million tickets online through automated mechanisms for re-sale.

Various online ticket vendors such as Ticketmaster, Telcharge, Tickets.com, Musictoday and many more were using CAPTCHAs and Proof of Work mechanisms to prevent automated HTTP Bots from buying tickets and hence providing a fair means of selling the tickets online. However, the Wiseguys circumvented their security mechanisms to earn themselves a huge profit by capturing the tickets as soon as they came out online and reselling them to the brokers at higher prices.

Let us dive into the technical details. So, how did all this work? Based on the 43-page indictment and the nj.com resources I have drawn a general work flow of the web attack and highlighted a few details worth noticing.

Outline
Wiseguys used a widely distributed network of computers that were running bots, which were used to automate the online ticket purchasing process.

Figure 1: Wiseguys Web Hacking: Automated Ticket purchasing using bots

In the Figure 1, the red arrows denote automation. Once the bots defeated the CAPTCHA, they were granted access to the ticket purchasing webpage and ,again using automation, purchased millions of tickets in a few seconds. The bots would monitor the websites and seize the tickets as soon as they were offered online. They would then select the best ones from the seized lot and release the others back into the pool of available tickets. A point worth highlighting here is that during the entire time the tickets were seized by the bots, they were rendered unavailable to the public to as to prevent valid customers any opportunity of buying the good tickets.

Security Mechanisms in place by the Online Ticket Vendors
The online ticket vendors such as Ticketmaster, Telecharge, Musictoday, etc. employed various security mechanisms on their websites so as to ensure fairness and prevent bots to access their online purchasing feature.

These mechanisms included, but were not limited to, the following:

1. CAPTCHA: CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart, was one of the technologies used to prevent bots from accessing their websites. As of the latest, the online ticket vendors used the ReCAPTCHA service to employ CAPTCHAs.
   
2. Additionally, they used Proof of Work mechanisms to combat and slow down the bots that were attempting to purchase large volumes of tickets instantaneously.
   
3. They would block IP addresses that seemed to be using bots for automated purchasing of tickets.
   

Attacks Mechanisms by the Wiseguys
The Wiseguys, successfully, circumvented the security mechanisms that were put in place by the online ticket vendors. Their attacks techniques included, but were not limited to, the following:

1. They were running bots on thousand of computers from across a nationwide distributed computer network that they deployed to perform bulk automated-purchasing of the tickets. Refer to the Figure 1.
   
   
   
   1. The bots would monitor the online ticket vendors' websites and as soon as the ticket offers came online they would open simultaneous connections from across the distributed computers.
      
   2. The bots would defeat the CAPTCHAs and Proof of Work mechanisms to gain automated fast access to the virtual queues for purchasing the tickets as opposed to a few seconds that an average human would use to solve the mechanism's challenge. In case of CAPTCHAs, the online ticket vendors were using the ReCAPTCHA service which was also being used by Facebook. Following are the steps in details for defeating the CAPTCHAs:
      
      
      
      1. The bots impersonated as would-be Facebook users and downloaded thousands of ReCAPTCHA service's CAPTCHAs from Facebook
         
      2. OCR, in case of visual CAPTCHAs, and Human Labor, in case of audio CAPTCHAs, were employed to break the CAPTCHA and get the answers to the challenges
         
      3. A large backend database was created where the FileIDs and the Answers were stored persistently
         
      4. As soon as the bots connected to the online ticket vendors websites, before being able to successfully purchase the tickets, they were greeted by the CAPTCHAs to prove themselves as humans. The bots would access their database and would answer the challenge in a fraction of a second. Upon successful validation of the answer to the CAPTCHA challenge, the bots were then granted access to the purchasing page.
         
   3. The bots were programmed to intentionally commit errors sometimes, so as to make the automated process appear human in nature.
      
   
   
2. The Wiseguys purchased thousand of IPs (IP bank) so as to create an illusion of different individual customers
   
3. They would also lease servers anonymously so as to use "watchers"(that would monitor the online ticket vendors websites) in a hidden manner and prevent them from being detected by the online ticket vendors
   
4. They even seemed to have been using certain mechanism so as to bypass the "verification" page entirely and get direct access to the "purchasing page"