Online fraud has been particularly rife on ticketing websites, with bots doing the most damage. It’s time we learn to beat the bots!

After a long hiatus due to the global pandemic, live concerts and performances are becoming regular gigs in cities throughout Asia Pacific. For music and sports lovers, this news was a cause for celebration.

However, ticketing giant Ticketmaster recently came under fire after it botched the rollout of tickets to Taylor Swift’s tour in 2022 – a failure the company attributed to bots. In fact, such occurrences are no strangers to fans, with coveted tickets frequently snatched up by bots and scalpers.  

According to a report by Imperva, the percentage of web traffic on ticketing websites attributable to bad bots has surged from 22.97% to 39.9%. Additionally,  77% of all digital attacks are now bot-based, and we cannot rely solely on legislative intervention to resolve this problem. 

How then do we beat the bots in online fraud and account takeover? CybersecAsia finds out from Zach Edwards, Senior Manager of Threat Insights, HUMAN.

Bots and scalpers have been rather successful so far. “Fans want to support their favorite artists and teams,” said Edwards. “It doesn’t take a lot to convince fans to pay more for tickets when they are scarce.”

Zach Edwards, Senior Manager of Threat Insights, HUMAN

What are some of the dangers bots can pose to consumers?

Edwards: Bots are used in 77% of all digital attacks to help cybercriminals automate and scale their schemes. They have become one of the most prolific tools for cybercrime because of their increased sophistication with the uncanny ability to mimic human behavior online.

Interestingly enough, we even see bots designed to listen to music on streaming media platforms, read news articles, and of course, like and follow content on social media. Bots performing these human-like behaviors allow the attackers who control them to influence popularity, trends and even ranking algorithms. This also allows these bots to appear more human when they carry out other attacks, such as logging into bank accounts or buying concert tickets, because they have a history of human-like activity online.

Why are bot attacks on ticketing websites on the rise? How have these attacks evolved post-pandemic, and how lucrative can it be for bad actors?

Edwards: Unlike the click farms that many of us are familiar with – the bots of 5-10 years ago – most modern malicious bots come from our own malware-infected devices where malicious code runs in the background without the knowledge of the owner.

That’s right, your very own computer that you tried to purchase tickets from may have been leveraged by hackers during the attack!

How should organizations beat the bots, and prevent and mitigate online ticketing fraud?

Edwards: What’s especially important to understand is there is a bot economy that supports sophisticated organized criminal activity, allowing anyone to buy bots and use them to do just about anything online. This allows bad actor groups to function like legitimate businesses and fund other criminal schemes, and this economy is growing.

In the last six months, HUMAN Security has observed a 98% increase in bot activity used to break into username-protected accounts (also known as account takeover) compared to the six months prior.

Bots are a thriving, growing industry in and of themselves, filled with both good business models, like chatbots, and nefarious ones.

We’re a long way from having this problem under control and need more consumers and business executives advocating for new legal resources and recourse from these bot attacks.

The U.S. is leading here, but even laws like the BOTS Act of 2016 are limited in scope, as it specifically focuses on bots who target ticket sale systems. For other countries and consumers, the process to adjudicate justice is more complex and unfortunately most countries don’t currently have explicit legislation about bots and bots used to make commercial purchases that inflate costs on consumers.

Without regulation with provisions requiring disclosure and transparency with reasonable recourse for consumers who have been harmed, organizations should prioritize a collaborative, modern defence strategy that allows them to take a stand against digital fraud and abuse and win against the cybercriminals.