While bad bots are a problem across many industries, the ticketing industry has experienced a dramatic increase in such traffic over the past couple of years. And much of that bad traffic occurs in our own backyard, with 85% of bad bots launched against ticketing companies originating in North America, according to a report released today by Distil Networks.
The report, "How Bots Affect Ticketing," also found the proportion of bad bots among ticketing companies has risen to 39.9% of all ticketing traffic. That's a notable increase from the 22.9% found in previous reports, and even that number was considered worse than the average for all industries.
Edward Roberts, director of product marketing at Distil Networks, says the number increased because of the greater number of ticketing companies included in this year's study, as well as the increase in volume of traffic analyzed.
"The sophistication of the bots and the ability of the organizations that propagate the bots to monetize them and survive as a business has also increased," Roberts says. "Whether it's brokers, scalpers, hospitality agencies, corporations, or criminals, they can lock down tickets, buy them at a cheaper price, and sell them at a premium on a secondary market."
Christopher Rodriguez, a research manager for cybersecurity products at IDC, says he has observed this kind of activity in many other industries, including retail, travel and hospitality, and financial services.
"That's why companies are looking at bot mitigation products such as from Distil, Akamai, PerimeterX, ShieldSquare, and Shape Security," Rodriguez says. "These products do device fingerprinting and tracking, looking how long a user dwells on a certain page, the movement of the mouse and how quickly they type, all in an effort to determine if the user is legitimate."
Criminals at Work
Though criminal elements are a much smaller share of the bad bot ticketing market compared with brokers, scalpers, and other companies, they seek to compromise customer accounts via credential stuffing, Distil's Roberts says.
By running stolen credentials against the login pages of ticketing platforms, bots identify the accounts where access was granted. Once inside the account, any stored tickets (usually two to four tickets at a time) can be stolen or transferred to another account. And once inside an account, any stored credit card and personal information could be stolen or used to commit fraud. The bots also steal customer loyalty points, a problem that has become prevalent with season ticket holders of European soccer teams.
"Ticketing companies need to pay attention to public data breaches because any time there's a major breach, the criminal will hit the names on that list," Roberts says. "Companies also need to consider blocking the known hosting providers for bot operators."
According to the report, ticketing has long experienced the evolution of the bot problem. As the ticketing industry moved online in the 1990s, it was the first industry to suffer from malicious bot operators using automated attacks to hold and scalp tickets. Following complaints by customers and increased pressure from artists, it was also the first industry to adopt legislation as an additional tool in the war on bad bots. In 2016, the US passed the Better Online Ticket Sales (BOTS) Act, which outlawed the resale of tickets purchased using bot technology and imposed fines. The UK, Australia, and parts of Canada have enacted similar legislation.
The latest report on the ticketing industry follows a report Distil issued last year on the airline industry, in which it found that 43.9% of all traffic on airlines websites came from bad bots, Roberts says.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.