Ticket Scalping: What it is, How it’s Affecting Businesses & How to Take Action

If you run an online ticketing business, you are probably familiar with ticket scalping attacks. Sadly, scalping is only the tip of the iceberg. Bots are attacking with increasing sophistication, and businesses that fail to implement robust security are at risk of facing steep losses.

This article will explore the most dangerous bad bot threats directed at the ticketing industry. We’ll also learn what are the most effective ways to mitigate these dangers with solutions that deploy quickly and easily.

What is a ticket scalper?

A ticket scalper is a type of bot specifically programmed to scalp tickets—that is, to purchase as many as possible to resell later at a high markup—to popular events such as musical concerts and sports games. Because bots can perform actions much faster than humans, they’re able to buy up huge numbers of tickets before humans can, keeping human users from purchasing tickets at reasonable prices themselves.

The Impact of Ticket Scalping Bots

In 2024, revenue from music events in the US alone is expected to reach $34 billion, and the global event ticketing market is projected to reach $85B. This kind of action attracts droves of hackers looking to steal a piece of the pie.

Cybercriminals can make some serious cash using ticket bots. One hacker scooped up 30,000 tickets to the Broadway hit “Hamilton” in 2015-2016 and another 1,000+ tickets to a U2 concert—in less than 60 seconds each time. In another attack, a malicious bot acquired 520 Beyoncé concert tickets within three minutes. Scalped tickets are often sold at markups of up to 50%, and tickets are getting more expensive every year.

Even though the BOTS Act of 2016 made ticket scalping illegal, there seems to be no letting up on this type of crime. In fact, some recent research reveals that illegal ticket buying bots now generate 40 percent of all ticketing traffic.

How Automated Ticket Buying Bot Attacks Work

1. Choose the target. Targeted tickets are usually for highly anticipated concerts (such as Beyoncé) or sports games (like the Superbowl). The high demand means that the cybercriminal will be able to resell scalped tickets for incredibly high prices, because they’re preventing people from purchasing their tickets at the standard price.
2. Test the defenses and find ways around them. In the weeks (or even months) leading up to the big ticket sales, the cybercriminal will need to figure out what defenses, if any, the seller has in place. Once they know the defenses, they can find out ways around them. The easiest way to test what protections are in use is by sending much smaller amounts of ticket scalpers to purchase lower demand tickets. If the defense testing traffic volume is small enough, it will probably go unnoticed alongside real human buyers.
3. (Optional) Gather stolen credit card data to use during the attack. Using stolen payment cards means the hacker doesn’t need to use any of their own money to buy tickets to resell, making for even larger profits.
4. When tickets are available, automatically purchase as many as possible. Cybercriminals are looking to purchase as many tickets as possible to resell, so they will attempt to find the maximum amount a single buyer is able to purchase at a time. If they’ve set up extra accounts, this bad bot traffic means that bad bots will purchase as many tickets as they can on each account.
5. Resell tickets at high markup for profit. Because human users weren’t able to grab tickets from the original seller, they’ll start looking right away for people reselling tickets online. No matter the markup, people are likely to purchase the scalped tickets because they want to attend the event.

Defense Strategies for Stopping Bot Ticket Scalping

Use an effective CAPTCHA.

Most websites use CAPTCHA challenges to weed out bots from humans, as that was the original idea behind them. And for many years they worked very effectively to protect online businesses from bad bots. Most traditional CAPTCHAs, however, do not check any other signals to determine who might be a bot solving a challenge or not. Therefore, up to half of passed challenges could be bots, making traditional CAPTCHAs an ineffective bot protection solution.

On top of this, CAPTCHAs add significant friction to the user journey and most have serious accessibility issues, as they rely on either text, image, or audio recognition.

Therefore, an effective CAPTCHA will be able to do the following:

• Use a wide variety of signals to look for bots, keeping a false positive rate low.
• Be accessible for people with any kind of impairment.
• Be quick to load and quick to solve for any human users.
• Consistently improve bot detection using real data gathered during CAPTCHA challenges.
• Connect with a powerful bot detection solution to keep bad bots out and let humans in.

Establish buying limits.

A simple solution to ticket scalping is simply to impose a limit on the number of tickets a user can purchase in one transaction, or in one session or day, on your website. But whatever the limit is, real human customers may still need to buy more than is allowed—which can lead to upset customers.

Invest in anti-bot technology.

The most effective, simple option is simply to invest in a powerful anti-bot technology to review every request on your site, root out the bots, and keep them from being able to purchase any tickets from the start. Bot protection should have a low false positive rate, look at 100% of requests rather than just snapshots of time, and constantly grow and evolve to match bots’ increasing sophistication.

DataDome’s powerful bot and online fraud protection detects and mitigates attacks on mobile apps, websites, and APIs with unparalleled accuracy and zero compromise. DataDome bot protection also includes the only user-friendly, privacy compliant, and 100% secure CAPTCHA on the market. With special protection modes geared towards events like flash sales that are likely to see scalper bots, you will be protected even during the most intense attacks.

Additional Bot Attack Risks to the Ticketing Industry

• Denial of Inventory: Similar to ticket scalping, although no purchases are ever completed. Bots add tickets to their cart but do not check out, tying up ticket supply so real customers can’t buy them.
• Server Overload (Denial of Service: DoS): A bot attack where massive amounts of (automated) traffic are sent to an online ticket site. The heavy traffic overwhelms server resources, leading to slow site performance or even crashes.
• Card Fraud (a.k.a. Carding or Card Cracking): Stolen credit card numbers and credentials can be purchased on Deep Web illegal markets. These stolen cards can be used on ticketing sites to verify which ones work (carding), or to find out any missing credentials tied to the card (card cracking). Valid card numbers can be used to make illegal purchases or obtain cash.
• Scraping: Bot-driven scraping steals listings or other content from ticketing websites, then adds it to their own sites. The victim’s ticketing website then loses visibility, visitors, and revenue flow.

How Ticketing Companies Fight Bad Bots

In the past, bot attacks were much more primitive. Web application firewalls and even manual bot filtering methods such as IP blocking could keep out the majority of malicious bots.

Today, however, advanced hackers use bots that are able to mimic human behavior very convincingly, and they can launch thousands of bots at once to overwhelm traditional security measures. By using botnet attacks and other strategies, hackers can assault a website from a wide range of IP addresses and devices. This makes detection and prevention nearly impossible to manage with in-house resources or traditional security tools.

DataDome’s Real-Time Bot Protection for Ticketing Websites, Apps, & APIs

Advanced online ticket scalping bots and other threats have reached epidemic proportions. The best defense is a scalping prevention software or strategy, such as DataDome’s Cyberfraud Protection Platform, that combats threats on multiple levels. Plus, our solution deploys in minutes, as it’s a straightforward SaaS. Here’s how it’s done:

Known Threat Identification

DataDome identifies known threats in less than 2 milliseconds. This real-time detection identifies and blocks 99 percent of all bad bot requests, based on known AI/custom rule pattern matching, bot authentication, and HTTP fingerprinting.

AI/Machine Learning (ML)

DataDome uses advanced AI/ML methods to rapidly identify new threats and decide in milliseconds whether or not to grant access. Unknown bots are identified via statistical and behavioral detection, using data from server-side fingerprints, a JS rendering engine, SDK inputs and session tracking.

Shared Intelligence

When a new malicious bot is detected on any of the domains protected by DataDome, all customer sites are automatically protected in real time.

Dashboard

DataDome’s easy-to-use dashboard enables bot activity monitoring in real time, and offers a wide range of customization options for users that want to fine-tune the application of their security policy.

How well does it work?

In one incredible case, attackers pounded a client target with over 5.7 million requests, from more than 250,000 different IP addresses, distributed across 8,000+ autonomous systems in more than 215 countries. That’s a big time attack from a serious criminal element. And DataDome stopped it cold.

Looking for the most effective and convenient protection against ticket scalping bots ? Set up a free trial with DataDome now.