A large-scale fraud campaign with over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris.
The operation offers fake tickets to the Olympic Games and appears to take advantage of other major sports and music events.
Researchers analyzing the campaign are calling it Ticket Heist and found that some of the domains were created in 2022 and the threat actor kept registering an average of 20 new ones every month.
Overpriced fake Olympic Games tickets
In late 2023, researchers at threat intelligence company QuoIntelligence noticed increased conversation about the Olympic Games in Paris scheduled to start this July 26th.
Because the event has always been used for geopolitical influence and the International Olympic Committee’s decision to ban Russian and Belarusian athletes’ participation under their country flag, researchers kept monitoring the topic and looked for suspicious activity online.
QuoIntelligence kept an eye on specific keywords (e.g. ticket, Paris, discount, offer) used in newly registered domains and discovered operation Ticket Heist which relies on 708 domains hosting convincing websites claiming to sell valid tickets and provide accommodation options for the Olympic Games in Paris.
The first such domains discovered were ticket-paris24[.]com and tickets-paris24[.]com, the latter being a clone of the first.
“Despite minor spelling and grammar mistakes, likely due to direct translation from Russian to English, the website and its user experience were comparable to those of a high-end site” – QuoIntelligence
The user interaction that the Ticket Heist operators created for visitors appears legitimate and encourages engagement with the site and ticket selection.
source: QuoIntelligence
In a report today, the researchers say that the same UI framework is present across all websites related to Ticket Heist, with only minor variations in content and language making the difference between the fraudulent websites.
Apart from the design of the websites, what stands out in the scheme is the price of the fake tickets offered. QuoIntelligence notes that the prices are inflated compared to the legitimate ones.
“For example, a random event and seat location on the official website could cost less than EUR 100, whereas the same tickets and locations on the fraudulent websites were priced at a minimum of EUR 300, often reaching EUR 1,000” – QuoIntelligence
QuoIntelligence threat researcher Andrei Moldovan told BleepingComputer that while there is no confirmation, the higher prices could be part of a trick to make victims believe they get “premium treatment” for the extra money since the tickets are not available through the official distribution channels.
Alternatively, a higher price could also make victims believe that it’s a scalping operation that takes advantage of the shortage of tickets.
While trying to test their theories about the objective of Ticket Heist and to gather information that could lead to who is behind it, QuoIntelligence attempted a purchase from one of the fraudulent websites.
They found that all transactions are carried out through the Stripe payment processing platform and the money is transferred only when the card has sufficient funds.
This means that the operator’s goal is not to collect credit card information but to steal money from the victim.
Furthermore, this test also revealed the company name VIP Events Team LLC, which was created on November 26, 2021, and is still active but its website has never been indexed by public search engines.
“The domain was registered on the same day the company was formed. There are no mentions of VIP Events Team LLC on Google, social media, TrustPilot, or any other available OSINT sources” – QuoIntelligence
The researchers say that while the company appears to be based in New York, the “contact us” section on ticket-paris24[.]com lists the company behind it as located in Tbilisi, Georgia.
Analyzing the infrastructure behind the Ticket Heist operation, the researchers discovered that all the fraudulent domains were hosted at the same IP address, 179[.]43[.]166[.]54, belonging to a provider is linked to malicious activities by multiple services.
While every website has a unique SSL certificate, QuoIntelligence noticed a pattern in the structure of the domain and unique subdomain names used.
They observed that the subdomains often included jswidget, widget-frame, or widget-api, which, combined with DNS records and common JavaScript files, helped them uncover the entire network of 708 domains.
Every month, the threat actor registered an average of 20 new domains but last November the number recorded a significant increase with 50 new domains being created.
Currently, 98% of the domains linked to Ticket Heist are considered clean of malware by crowdsourced analysis services, which supports the theory that the objective is to steal directly from victims through a legitimate payment service.
Event lures and victims
The Olympic events in Paris were not the only lures in operation Ticket Heist. The fraudsters also tried to lure victims with fake tickets for the UEFA European Championship this year.
