Ticketmaster / Ticketweb hacked?
David | February 11, 2012This afternoon I received an email with the spammy subject “Action Required : Update Your PDF Application”. I almost ignored it until I noticed that the link inside pointed to a domain owned by Ticketmaster. As I have shopped with Ticketmaster before, perhaps this isn’t so surprising.
My first thought was that Ticketmaster had a dodgy redirect on their site, until I looked at the email and saw that it was actually sent from Ticketmaster’s network. I have broken my current findings down below.
Update 1 day later: See the comments at the end of this post. I have also received the same email from Ticketmaster confirming that they had a security breach. However the links are still active, which shows they possibly don’t have a proper handle on this yet.
Update 2 days later: See my followup post.
The spam email
The first part of the email body looks like this:
INTRODUCING UPGRADED ADOBE ACROBAT READER 2012 Since the Holidays are in full swing and the New Year is approaching, we've decided to unveil our latest Adobe PDF Reader/Writer 2012 Version http://www.2012-acrobat-adobe-download.com
The link actually points to a rather long URL:
http://smr.mm.ticketmaster.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTE0MTQzNjMmbWVzc2FnZWlkPTE0NDU0MjMmZGF0YWJhc2VpZD1EQVRBQkFTRUlEJnNlcmlhbD0xNjgxNzIzMyZlbWFpbGlkPWRhdmlkQGVkZWNhLm5ldCZ1c2VyaWQ9NTM3NzYyMzE3JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiZodHRwOi8vd3d3LjIwMTItYWNyb2JhdC1hZG9iZS1kb3dubG9hZC5jb20v
The important headers (which can be faked, it is important to remember) were:
Received: from dspam by mx.lionserver.co.uk with dspam-checkedid 1RwEuO-0004HV-Re for MYEMAIL; Sat, 11 Feb 2012 15:30:40 +0000 Received: from sms1-els203-83.mm.ticketmaster.com ([209.104.36.83]) by mx.lionserver.co.uk with esmtpid 1RwEuI-0004HJ-4v for MYEMAIL; Sat, 11 Feb 2012 15:30:40 +0000 Received: from sms2.mm.els203.clisys.tmcs ([10.75.20.210]) by sms1-els203-83.mm.ticketmaster.com (-); Sat, 11 Feb 2012 07:29:57 -0800 X-VirtualServer: Default, sms1-els203-83.mm.ticketmaster.com, 10.75.20.213 X-VirtualServerGroup: Default X-MailingID: 16817233::1414363::DATABASEID::1445423::537762317::202579 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: MYEMAIL X-SMFBL: ZGF2aWRAZWRlY2EubmV0 Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary="----=_NextPart_22E_57A8_7C013F27.75C101A9" MIME-Version: 1.0 Message-ID: <16817233.202579@TICKETWEB.CO.UK>
So there appears to be a received header indicating this came straight from Ticketmaster’s network, and a few Ticketmaster specific headers. The Ticketmaster header X-SMFBL contains my email address, base64 encoded.
Mail origins
The received headers suggest this email came from 209.104.36.83. This could have been added by a spammer, so let’s check the server logs and see where it really came from:
2012-02-11 15:30:40 [16449] 1RwEuI-0004HJ-4v <= return_smverp_.16817233.1414363.DATABASEID.1445423.537762317.202579._smverp_.david=edeca.net@ab.mm.ticketmaster.com H=sms1-els203-83.mm.ticketmaster.com [209.104.36.83] P=esmtp S=6908 id=16817233.202579@TICKETWEB.CO.UK T="Action Required : Update Your PDF Application"
The mail server confirms that it did come from 209.104.36.83. That IP address is sms1-els203-83.mm.ticketmaster.com, the netblock is registered to “Ticketmaster Online – CitySearch, Inc.”.
The embedded URL
The URL above contains a long Base64 encoded section which decodes to:
eas=1&mailingid=1414363&messageid=1445423&databaseid=DATABASEID&serial=16817233&emailid=MYEMAIL&userid=537762317&fl=&extra=MultivariateId=&&&http://www.2012-acrobat-adobe-download.com/
Much of this again seems to be Ticketmaster specific. The messageid matches with the information in the X-MailingID header above. At the end is the obvious redirect to the fake website above.
The fake website
The fake website is nothing special but does use Adobe’s trademarked logos and styles heavily. The disclaimer at the bottom probably wont get them out of this. The website only exists to point the user to an affiliate link for some PDF related software, which has nothing to do with Adobe itself. A screenshot of the website is below (click for bigger):
Conclusion
Nothing conclusively shows that Ticketmaster have been hacked. It could be an affiliate of theirs, or a customer who has permission to send emails using the Ticketmaster service. What is clear is that it definitely came from Ticketmaster and uses their service.
Four hours after this was first reported to Ticketmaster on Twitter the link still works and some spammers somewhere are still collecting the click-through cash.
Whatever transpires, I’ll be unsubscribing.
Hi,
I also received the phishing mail from TicketWeb yesterday, followed up by an alert from TicketWeb this morning. Text follows, in case you’ve not received this yourself.
Mark
——————————————————————
Dear TicketWeb Customer,
We have discovered that our TicketWeb UK direct email marketing system was exposed to unauthorised access. As a result, you may have received up to four emails on Saturday, February the 11th, from an unauthorised party with the subject as “Action Required: Update Your PDF Application” and containing a link to update an Adobe Acrobat PDF application. Please do not click this link, but delete the email.
We have taken immediate action to close the vulnerability. You can rest assured that none of your credit card information was vulnerable during this attack.
We sincerely regret any inconvenience this has caused. We are continuing to investigate this unauthorised access, and will send you a follow-up email when we have additional information.
Please contact http://www.ticketweb.co.uk/helpdesk with any questions you may have. Thank you for your understanding as we continue to resolve this concern.
DON’T open the link. I received the same email about updating my PDF application and binned it immediately. I got the following email from TicketWeb a few hours ago…
Dear TicketWeb Customer,
We have discovered that our TicketWeb UK direct email marketing system was exposed to unauthorised access. As a result, you may have received up to four emails on Saturday, February the 11th, from an unauthorised party with the subject as “Action Required: Update Your PDF Application” and containing a link to update an Adobe Acrobat PDF application. Please do not click this link, but delete the email.
We have taken immediate action to close the vulnerability. You can rest assured that none of your credit card information was vulnerable during this attack.
We sincerely regret any inconvenience this has caused. We are continuing to investigate this unauthorised access, and will send you a follow-up email when we have additional information.
When i received this I went to the ticketmaster site to report it to them. Discovered that they don’t have an email address and I refuse to pay to phone them on a phone number that generates income for them.
So I thought “Feck Em…”
[...] David Cannings, shared more information about the unauthorised TicketWeb emails, which he discovered pointed to a bogus Adobe Reader [...]
Hi David, excellent article but errrm …since you’re so knowledgeable, how exactly did you (or any of the others) intend to unsubscribe?
When you buy an item from a retailer there is an implicit right for them to contact you with similar item offers or updates relating to your purchase.
I accept that.
I also make a point of unticking or ticking boxes to ensure I get no more junk mail as a result of the purchase. I specifically said Don’t share my data.
They did or I wouldn’t have got the phishing email.
You didn’t get that email from them because you subscribed to a mailing list. You got it because you bought something and they then sent your data to ticketmaster.com in the states and a bundle of other affiliates. (read the privacy policy)
BTW The phishing site is also on TM’s server.
Unsubscribing is not an option.
Ticketmaster couldn’t give a damn about our privacy.
KiKi, some interesting questions. In order:
So yes, whilst you are correct that all companies share/sell data for marketing reasons, that wasn’t the cause of the emails which were sent out on Saturday. It would have happened even if Ticketmaster never sold your details, because the spammers used Ticketmaster to send the email.
David
Nice article, gin or not….
One lesson to take away is the option to use disposable addresses (such as trashmail) when signing up to sites where you don’t necessarily want to share your real address. The disposable address works long enough to get you through the registration process but expires before you get loads of crud. Of course this won’t work where you /need/ a long term email relationship with a site, but I find it covers 90% of the use cases where some site simply wants to check that I am a person, not a bot.
Cheers
Mick
Nice investigation. I too received these messages. Although for me, as soon as I read the words “The holidays are in full swing and the new year is approaching” my brain’s built-in spam filter kicked in, and they went straight to the trash
Thanks Dave. Sadly not the case. I’m not subscribed to their mailing list. Neither are other commenters in other threads. One. (on theregister.co.uk) had already unsubscribed.
TM are being duplicitous (damage reduction) in calling it a ‘mailing list’ it is blatantly the customer database. (If it were a mailing list unsubscribes wouldn’t be on it)
In any case, ( I checked this with a friend who runs a venue) Ticketweb send full details of customers to the venue. No need to email them via TM’s servers and if that were the case they wouldn’t be able to email the entire database.
(Duh! See Tickets and others would set up as affiliates straight away)
As to whether they could see the data? I think if they were capable of accessing Ticketwebs entire customer database (350,000 emails were sent) they would have no problem accessing the ‘sent data’ and decoding a bit of Base64
I’m no conspiracy theorist but this is what I think (and the reasons I think it)
Ticketweb statement
We have discovered that our TicketWeb UK direct email marketing system was exposed to unauthorised access. As a result, you may have received up to four emails on Saturday.
1) “direct email marketing system” sounds a lot less damaging than the truth which is “customer database” If I was on their direct emailing list I’d have been getting mailouts from them before Saturday.
2) “received up to four emails” This is a very factual/precise piece of info for someone who claims they don’t know what’s going on.
3) The hacking was done by very clever people.
4) The email was not designed to fool anyone with more than one brain cell.
Logical conclusion: Not aimed at Ticketweb and probably not even aimed at Ticketmaster UK. (it was Ticketmaster.com that was hacked)
I think they’ve used Ticketwebs comparatively small database as an illustration of what they are capable of.
Whether its political (someone like Anonymous) revenge or blackmail is anyone’s guess but I’m pretty sure TM know the answer and equally sure they won’t be telling.
So yes. Unsubscribe will remove you from their emailing list and No. It won’t remove you from their database.
Sorry Dave, I missed your point there because I hadn’t realised that Ticketweb routinely use Ticketmaster.com’s servers to send their mailouts.
I’d assumed they had their own servers and the accessed data had been shared / passed to the US for other reasons.
It only just ocurred to me that you were saying this is how they normally send mail.
A closer look shows the router/network address is the same as Ticketweb but I guess router addresses can be altered.
Still it does suggest quite a different reason why it was only Ticketweb customers.
Will probably turn out to be a bored /pissed off member of staff on night duty with no hacking skills at all ‘just having a laugh’
[...] hos Ticketmaster (CS) http://edeca.net/wp/2012/02/ticketmaster-ticketweb-hacked/ [...]