Up to 40 percent of traffic on ticket sites is automated. Here’s why that’s bad for security.

Bad bots made up 39.9 percent of ticket-buying traffic between September and December 2018, according to Distil Networks.
ticket bots
(<a href="">James LeVeque</a>)/remixed by Greg Otto)

If you have rushed to score exclusive concert tickets online, the chances of you competing against a human are dwindling.

According to new research, nearly 40 percent of traffic to ticketing websites is made up of bots, automated programs used by brokers and cybercriminals to do everything from denying customers inventory and scalping tickets to taking over customer accounts to commit fraud.

An analysis of 26.3 billion requests from 180 websites reveals that bad bots made up 39.9 percent of ticketing traffic between September and December 2018, according to the bot mitigation company Distil Networks. Seventy-eight percent of bots evaded detection by relying on human-like behavior, and most (42.2 percent) targeted the primary ticket markets, compared to 23.9 percent that hit secondary markets.

Distil suggested this kind of bot traffic hurts ticket sellers by making it more difficult to purchase tickets, which results in frustrated fans and artists complaining on social media.


However a 2018 investigation by CBC News and the Toronto Star reported that Ticketmaster, which is owned by Live Nation, the world’s largest concert promoter, did nothing to prevent people from using ticket-buying bots and fake identities to buy and re-sell tickets on the secondary market.

One Ticketmaster representative told undercover journalists some brokers had “literally a couple hundred accounts” on the ticketing service and that was “not something that we look at or report.” The company told CBC it was “categorically untrue” it has a program in place to allow resellers to acquire large volumes of tickets.

Bot operators use the technology for more than inflating prices, though.

Hospitality agencies also use bots to continuously check venue maps for premium seats, Distil found.

Scammers also sent bots to ticketing websites in attempts to steal customer usernames and passwords, Distil reported. The thieves plug credentials stolen in previous breaches into ticket sites to steal tickets, or make off with payment information.


These attacks, known as credential stuffing, are especially effective against customers who re-use the same name and password on multiple websites. And they have become a scourge of the e-commerce industry.

The retail industry was affected by more than 115 million attempts every day to hijack user accounts between May and December last year, the security vendor Akamai said in a separate report this week. The company determined that bots can represent up to 60 percent of all internet traffic, though less than half are actually declared bots.

“The problem with bots in the retail sales sector is a systemic one,” Akamai said in its report. “They create artificial scarcity, skew sales metrics and stock trading, and hurt the retailer’s customers and investors by placing information and the retailer’s reputation at risk … Our hope is that the security teams and security professionals will continue to grow more integrated with business units and their concerns in coming years.”

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts