So recently, I came across someone selling tickets to various gigs and events; a friend also got scammed for money when they thought they were buying.  So it got me thinking, how deep does the rabbit hole go. If you're reading this, it's a blog post that's not my regular write-up but more of an investigation and a hypothesis on the anatomy of a scam. I also put it together to raise awareness for those who read my blog and who might not be overtly technical-focused.

Hypothesis

With my mindset and naturally inquisitive of this kind of thing, I figured I'd dive a little deeper; my hypothesis of the scam is as follows:

The attacker either compromises a Ticketmaster account or associated Twitter(sometimes both), works out what tickets the person has then used a sock to sell the tickets or at least advertise them. To try to get money out of folks via Twitter DMs.

The ultimate aim is to extract money from the target using simple transactional social engineering and falsified proof.

Setup

An example tweet from one of the many accounts doing this looks like so:

A fairly benign-looking tweet of someone advertising that they want to sell their tickets for a gig; in this case, it was Chris Brown, but I've seen examples of many different types, basically anything with a large demand on Twitter and usually based in the UK.

Language Structure

Searching the language structure with structured search engine queries returned several accounts with similar operating methods. However, the accounts had been deleted or related tweets deleted. The screenshots below show some examples of the common phrase used:

I've got tickets for INSERT HERE can send via Ticketmaster; Kindly send a Dm if interested

Making Conversation

Upon making contact with the adversary, some small talk about the tickets was undertaken to try and work out what they have, how much they want, and to get some proof out of them:

In this example, the tickets retailed for £80+, so selling for half price on the afternoon of a gig wasn't unheard of, but it still is a bit of a red flag. Anyway conversation continued, and they eventually dropped off. But I did notice that the user deleted their tweets daily and then re-advertising something else, essentially rinse and repeat.

Proof Method

The adversary shows proof via a screen recording; here are two examples, in both videos, the same blurred background can be seen, and the method is to show the Twitter conversation and Gmail right next to each other to somehow prove that they have the tickets and are speaking to you:

Also note that while the blurred background is the same, the name in both examples is different, the first shows an email sent to a Dmytro. In contrast, the second is Nataliia, which plays into the suspected compromised accounts.

IOCs/Historic Accounts/Etc

The IOCs or indicators of the accounts I've found so far have been the following Twitter handles and associated bank accounts/names. The adversary typically posts once or twice per account before deleting the account and relevant tweets.

Twitter Handles

Doing a bit of analysis, I've found the following handles to have been used historically; these are no longer active, and it may well be the same account just changing their handle or having different accounts each time:

• mer_m_a
• be_a__ut__y - Current active account hxxps://twitter[.]com/be_a__ut__y
• C__Mel_1
• _fan_of_myself
• O_l_e_k1
  

Bank Details

On both occasions, I managed to get the adversary to send me bank details, both of which matched, the ACC no  has been partially obfuscated, but they were the same account on Revolut:

• Sort Code: 04-29-09
• Account Number: 030301xx
• Name on Account: Dmytro Suranov
• Bank: Revolut

The account might also have been compromised, so don't use the account as a specific IOC.

Conclusion

It's a low-level scam, but realistically, this post is more to raise awareness, and hopefully, someone at either Ticketmaster, Revolut or Twitter can look into the accounts. This post is more to raise awareness and something that piqued my interest.