Nisos
Ask the Analyst: Nisos Events and Ticket Fraud Expert Kirk Maguire
Over fifteen million visitors, including 2 million international attendees, are expected to travel to the 2024 Paris Olympics. The opening ceremony alone is estimated to have 300,000 spectators, with 220,000 attendees receiving free tickets. Unfortunately, as we have seen with the Super Bowl and the NCAA Final Four, the sheer scale of the event makes it a feast for ticket fraudsters looking to make a buck off people’s desperation to attend.
In this blog, we interview Nisos Intelligence Analyst and ticket fraud expert Kirk Maguire about what to expect before and during the 2024 Olympic games. Kirk regularly investigates cyber, physical, and reputational threats to global events. His research has contributed to ticket fraud coverage in the Detroit Free Press, Fox News, Tech Times, and the Sun.
As the event nears and people realize they want to be part of it and attend, they may seek to gain tickets through non-official streams. This may be a raffle that you would enter to be eligible for tickets. Raffles are common for international events, where the event wants to limit bias or one nation’s fans getting preference over another; it’s the luck of the draw that can drive feelings of scarcity.
Victims enter, sometimes not realizing official raffles for tickets were completed months earlier or perhaps knowing they missed out on the official raffles but feeling desperate for tickets. Out of desperation, they’ll search for tickets on social media and use avenues that are not encouraged by governing bodies and or the event organizers. That is where adversaries seek to capture victims and drive financial gain.
Most events we’ve looked at recently have had incidences of ticket fraud. That’s no surprise for big events like March Madness, the Super Bowl, and Taylor Swift concerts, but we’ve also seen if we put a call out for tickets to very niche events, we get prompt responses with offers of tickets. It doesn’t have to be a big event to be exploited. Threat actors are very opportunistic.
As soon as the adversary thinks there is an opportunity. It doesn’t have to be a real event; we’ve even made up events, and we’ve asked for tickets to events that have happened in the past – why would I need a ticket for something that happened three weeks ago? – but we still get responses from adversaries offering tickets, reassuring us, and promising tickets if we complete a money transfer.
As soon as they get the vibe that there is going to be a scarcity element, one of the principles of social engineering, they latch on to that. “I have tickets, and you won’t be able to get them anywhere else. I’ll offer you a great price.” We see all of the typical social engineering techniques we would expect to see, especially emphasizing that they can make a quick sale and get you the tickets you asked for.
I don’t know if it will, in all honesty. It’s a massive event, it’s going to get a lot of coverage, and you will get many people who want to go and will be traveling to it. If anything, it might be a little bit easier. Many adversaries generate fake tickets in Photoshop or an image editor, and for the more niche events, we can tell they have been made in a hurry. The time is wrong, the grammar and capitalization of proper nouns, etc.
If it’s a big, popular event that an adversary knows people want to attend, chances are they have created tickets already and will resend us something they have used on other victims. The size and popularity of the event means adversaries may have a wealth of resources pre-staged, avoiding the need to create ad hoc tickets as requests come in. Some threat actor groups may share content, creating tickets for, say, Boxing or the Triathlon and making them available in a shared drive.
The popularity of the Olympics also means we likely won’t have to engage directly with scammers as often because victims will start to make themselves known. We’ll look for claims online that “I’ve been scammed by this account,” and we can start digging in there.
Today, it is really about detecting potential victims rather than generating content. There is a good possibility it’s being used to tidy up messaging. Obviously, it’s likely being used to help with translation and improving grammar for adversaries, but we don’t have clear evidence.
We are confident that they are using automation for victim detection, and that’s typically based on sentence structure. So if you post a message saying, “I am looking for tickets for X event,” threat actors have automation looking for those messages and can respond right away. These groups are highly competitive, so they want to be the first to respond because chances are there will only be one opportunity to scam each victim. If you’re going to be scammed, they want to be sure that they’re the ones doing it.
They want to be the first in your inbox and the first to reply. We’ve experimented with this by structuring the sentence for a ticket request differently each time and comparing the results. A slight change in word choice or order can yield different results, suggesting an element of Artificial Intelligence may be under the hood.
It’s going to get more aggressive. Big global events like the World Cup, a rock group’s 30th reunion tour, or the next Taylor Swift concert ensure the desperation will always be there. People want to spend their disposable income on what they love. They are willing to spend time on experiences they may only get to have once or twice in a lifetime. Criminals know that.
At the same time, social media is a haven for fraud and a great opportunity for attackers to find victims. The actual techniques they ultimately use come down to traditional social engineering techniques we have seen for over a decade. As people become more aware of ticket fraud schemes, the threat actors will have to provide greater amounts of proof to establish the trust needed to complete the ruse. Some of this will be through more sophisticated fake documents, like the tickets or purchase receipts.
We also see threat actors making a greater effort to justify why they are selling the tickets, coming up with stories that convince their specific target, and engender trust. We’ve seen explanations like “My spouse is in the hospital,” or “I have to travel out of the country suddenly for work and can’t attend,”– anything to seem more legitimate and encourage the sale.
Threat actors would put the time, effort, and investment in these schemes if they weren’t succeeding at that level, which is why it has become so competitive. It’s not going away anytime soon, unfortunately.
Nisos is the Managed Intelligence Company. We are a trusted digital investigations partner, specializing in unmasking threats to protect people, organizations, and their digital ecosystems in the commercial and public sectors. Our open source intelligence services help security, intelligence, legal, and trust and safety teams make critical decisions, impose real world consequences, and increase adversary costs. For more information, visit: https://www.nisos.com.
The post Ask the Analyst: Nisos Events and Ticket Fraud Expert Kirk Maguire appeared first on Nisos by Nisos
*** This is a Security Bloggers Network syndicated blog from Nisos authored by Nisos. Read the original post at: https://www.nisos.com/blog/ask-the-analyst-ticket-fraud/