Ticketmaster / Ticketweb hacked?

This afternoon I received an email with the spammy subject Action Required : Update Your PDF Application.  I almost ignored it until I noticed that the link inside pointed to a domain owned by Ticketmaster. As I have shopped with Ticketmaster before, perhaps this isn’t so surprising.

My first thought was that Ticketmaster had a dodgy redirect on their site, until I looked at the email and saw that it was actually sent from Ticketmaster’s network.  I have broken my current findings down below.

Update 1 day later: See the comments at the end of this post. I have also received the same email from Ticketmaster confirming that they had a security breach. However the links are still active, which shows they possibly don’t have a proper handle on this yet.

Update 2 days later: See my followup post.

The spam email

The first part of the email body looks like this:

INTRODUCING UPGRADED ADOBE ACROBAT READER 2012 Since the Holidays are in full swing and the New Year is approaching, we’ve decided to unveil our latest Adobe PDF Reader/Writer 2012 Version hxxp://www.2012-acrobat-adobe-download.com

The link actually points to a rather long URL:

http://smr.mm.ticketmaster.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTE0MTQzNjMmbWVzc2FnZWlkPTE0NDU0MjMmZGF0YWJhc2VpZD1EQVRBQkFTRUlEJnNlcmlhbD0xNjgxNzIzMyZlbWFpbGlkPWRhdmlkQGVkZWNhLm5ldCZ1c2VyaWQ9NTM3NzYyMzE3JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiZodHRwOi8vd3d3LjIwMTItYWNyb2JhdC1hZG9iZS1kb3dubG9hZC5jb20v

The important headers (which can be faked, it is important to remember) were:

Received: from dspam by mx.lionserver.co.uk with dspam-checkedid 1RwEuO-0004HV-Re
for MYEMAIL; Sat, 11 Feb 2012 15:30:40 +0000
Received: from sms1-els203-83.mm.ticketmaster.com ([209.104.36.83])
by mx.lionserver.co.uk with esmtpid 1RwEuI-0004HJ-4v
for MYEMAIL; Sat, 11 Feb 2012 15:30:40 +0000
Received: from sms2.mm.els203.clisys.tmcs ([10.75.20.210]) by sms1-els203-83.mm.ticketmaster.com (-); Sat, 11 Feb 2012 07:29:57 -0800
X-VirtualServer: Default, sms1-els203-83.mm.ticketmaster.com, 10.75.20.213
X-VirtualServerGroup: Default
X-MailingID: 16817233::1414363::DATABASEID::1445423::537762317::202579
X-SMHeaderMap: mid="X-MailingID"
X-Destination-ID: MYEMAIL
X-SMFBL: ZGF2aWRAZWRlY2EubmV0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
boundary="----=_NextPart_22E_57A8_7C013F27.75C101A9"
MIME-Version: 1.0
Message-ID: <[email protected]>

So there appears to be a received header indicating this came straight from Ticketmaster’s network, and a few Ticketmaster specific headers. The Ticketmaster header X-SMFBL contains my email address, base64 encoded.

Mail origins

The received headers suggest this email came from 209.104.36.83. This could have been added by a spammer, so let’s check the server logs and see where it really came from:

2012-02-11 15:30:40 [16449] 1RwEuI-0004HJ-4v <= return_smverp_.16817233.1414363.DATABASEID.1445423.537762317.202579._smverp_.david=edeca.net@ab.mm.ticketmaster.com H=sms1-els203-83.mm.ticketmaster.com [209.104.36.83] P=esmtp S=6908 [email protected] T="Action Required : Update Your PDF Application"

The mail server confirms that it did come from 209.104.36.83. That IP address is sms1-els203-83.mm.ticketmaster.com, the netblock is registered to “Ticketmaster Online - CitySearch, Inc.”.

The embedded URL

The URL above contains a long Base64 encoded section which decodes to:

eas=1&mailingid=1414363&messageid=1445423&databaseid=DATABASEID&serial=16817233&emailid=MYEMAIL&userid=537762317&fl=&extra=MultivariateId=&&&http://www.2012-acrobat-adobe-download.com/

Much of this again seems to be Ticketmaster specific. The messageid matches with the information in the X-MailingID header above. At the end is the obvious redirect to the fake website above.

The fake website

The fake website is nothing special but does use Adobe’s trademarked logos and styles heavily. The disclaimer at the bottom probably wont get them out of this. The website only exists to point the user to an affiliate link for some PDF related software, which has nothing to do with Adobe itself. A screenshot of the website is below:

Fake Adobe Website

Conclusion

Nothing conclusively shows that Ticketmaster have been hacked. It could be an affiliate of theirs, or a customer who has permission to send emails using the Ticketmaster service. What is clear is that it definitely came from Ticketmaster and uses their service.

Four hours after this was first reported to Ticketmaster on Twitter the link still works and some spammers somewhere are still collecting the click-through cash.

Whatever transpires, I’ll be unsubscribing.

David Cannings
David Cannings
Cyber Security

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.