Security expert: Splendour ticketing glitch was more likely a prank, than a hack

Splendour in the Grass punters were meant to be singing ‘Hey Ya’ this morning but many are singing a very different tune after Australia’s biggest ticketing website Moshtix was the victim of an apparent hack.

Some punters had reportedly been gouged thousands of dollars in excess credit card fees, with fears their data had been potentially stolen. When users went to buy tickets to see Outkast, Lily Allen and Two Door Cinema Club some were greeted with a message “Buy Moshtix data lists from http://silkroad6ownowfk.onion or email [email protected]” and were charged thousands of dollars in credit card fees when making a transaction.

Moshtix have described it as an “isolated technical issue” and deny any credit card data was stolen. On Facebook, Splendour advised punters, “Under no circumstances purchase any “50% off” tickets – THEY WILL NOT BE VALID”, adding that a $1100 booking fee is “incorrect” and “only happening on invalid 50 percent off tickets.”

FL spoke to Michael McKinnon – security advisor from international antivirus and internet security company AVG – to get the low-down on the developing story and find out what likely happened, and why.

What are your initial thoughts on this, Michael?

It’s certainly very curious. It’s hard to know whether the two issues would be related or not, in terms of the ridiculous credit card fees and the message about the data lists. It may have been an innocent mistake followed by something more malicious. Sometimes we see examples of a company that really annoys some people, they make a mistake, and then all of a sudden they become a very quick target for hacking activity. It’s very unusual for a message like that to be posted on the actual site where the data may have been compromised. Normally data that’s compromised from a website wouldn’t be offered for sale from the website itself.

And that’s why to me it just seems like a little bit of a prank, if anything. Well maybe they have been hacked, it might be a bit of a confirmation message, but it’s hard to tell. Interestingly the credit card fee, in one of the examples I saw, if you divide the credit card fee by the purchase price, it works out at 2.22 percent. I don’t know what their normal fees would be, but if their normal fees would be 2.22 percent, then the incorrect credit card fee could be nothing more than a mistake in their system, as a decimal place issue. So it’s possible that Moshtix made a mistake in the process, and then either coincidentally or not someone hacked them.

“It’s certainly very curious”

Do you think that seems like the most likely scenario?

It’s hard to know. On the Moshtix site there was also talk of 50 percent off tickets. And I’m trying to piece together whether someone has created a rogue listing, for the same event, but it’s not real. I think what could’ve happened is there’s been a situation that’s occurred on Moshtix where they’ve had two duplicate listings – so they might have had a legitimate one, then someone has created another campaign with 50 percent off tickets.

Yeah, there’s no way Splendour themselves would’ve offered 50 percent off the day tickets went on sale.

There’s a statement that was made by the [Moshtix] CEO, and he basically says don’t purchase the 50 percent off tickets, and they’re all invalid. So I’m wondering if on the Moshtix website, there’s a possibility that the same event was listed twice, once by the official organisers and then once by a scammer who’s created a 50 percent off variant of the same event, but none of it’s real. I’m wondering if the event detail message, the one that gives the offer of compromised data, is on a fake listing but still hosted on the Moshtix website.

So do you think that person would’ve got credit card details and personal information?

On the face on what I’m seeing, I’m not sure that any credit card data was stolen. And the Moshtix CEO made the statement that no credit card data has been compromised, and that would seem to be reasonable on the basis that it would be Moshtix that would actually be performing the transaction.

Do you think it’s more of a prank than anything else?

Yeah, but it’s hard to say. I don’t think there’s enough information at this stage to assume anything. But the event detail information that is on one of those screenshots, that has that data offering with the “sharklasers” email address, you’d have to look at where that message came from. If that event detail can only be entered by someone from Moshtix, like an authorised employee, then they’ve probably been compromised. If however that data came from a user account then it might have even been one of the organisers of the event that have had their details compromised, and the information has been edited that way. In data compromises what we generally see is a site will have its data compromised, and that data will surface on an underground forum first for sale. It’s very very uncommon to see a blatant message on a site that says “Hey, we’ve compromised all data on this site, if you want to buy it, here’s my email.” That’s far less common to see. So I doubt someone actually has the data.

“I don’t think there’s enough information at this stage to assume anything”

How might the attack have happened?

Most of the attacks we’re seeing these days are based on passwords that are stolen. And it’s someone who uses a stolen password to log in to a system. Now this mostly happens because people re-use the same password on multiple sites. So a password that would’ve been a Moshtix employee or one of the event organisers for example, it’s possible they might have used the same password on a different site that has been compromised, and the password has been stolen that way. Given the current state of what we see, that’s generally the most likely scenario.

What would you recommend to punters?

I think there’s a couple of issues here. I usually recommend when people are purchasing items online not to use direct debit, or debit cards. If you can, stick to using a credit card, especially if your debit card is linked to your main account that you may need to buy groceries with and do your shopping and these sorts of things. It can be very inconvenient for people to have something like this happen to them, if they’re incorrectly charged some huge amount, and all of a sudden they need to go through a process to get that money refunded, it can be very inconvenient. So typically it’s better to have a credit card for that purpose. The second recommendation is in terms of your own protection, make sure you haven’t used a password on any website where you’ve used that same password on another website. Use different passwords for everything.

In your experience is there normally recourse for people that have been victims of a hack? Do people normally get their money back?

Really at the end of the day all we’re talking about is money that’s been charged incorrectly. If it’s Moshtix’s merchant account that’s been used to charge those credit cards, I don’t think people need to be concerned at all because I’m pretty sure they’ll get their money back. There are always fraud protections available through Mastercard and Visa and these networks anyway. So I don’t think people need to be too alarmed. Financial fraud does happen, but it most commonly happens when people simply don’t check their credit card statements and there are charges that go unnoticed. That’s where the real fraud happens. When you have cases like this where you are immediately aware of some form of overcharging, you’ll always get your money back.

David Swan is a regular FL contributor and the associate editor of tech news site iTWire. Follow him on Twitter @MrDavidSwan.