Operation Ticket Heist uses over 700 domains to sell fake Olympic Games tickets

A large-scale fraud campaign with over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris.

The operation offers fake tickets to the Olympic Games and appears to take advantage of other major sports and music events.

Researchers analyzing the campaign are calling it Ticket Heist and found that some of the domains were created in 2022 and the threat actor kept registering an average of 20 new ones every month.

Overpriced fake Olympic Games tickets

In late 2023, researchers at threat intelligence company QuoIntelligence noticed increased conversation about the Olympic Games in Paris scheduled to start this July 26th.

Because the event has always been used for geopolitical influence and the International Olympic Committee’s decision to ban Russian and Belarusian athletes’ participation under their country flag, researchers kept monitoring the topic and looked for suspicious activity online.

QuoIntelligence kept an eye on specific keywords (e.g. ticket, Paris, discount, offer) used in newly registered domains and discovered operation Ticket Heist which relies on 708 domains hosting convincing websites claiming to sell valid tickets and provide accommodation options for the Olympic Games in Paris.

The first such domains discovered were ticket-paris24[.]com and tickets-paris24[.]com, the latter being a clone of the first.

“Despite minor spelling and grammar mistakes, likely due to direct translation from Russian to English, the website and its user experience were comparable to those of a high-end site” - QuoIntelligence

The user interaction that the Ticket Heist operators created for visitors appears legitimate and encourages engagement with the site and ticket selection.

Ticket Heist page for fake Olympic Games tickets
Ticket Heist page for fake Olympic Games tickets
source: QuoIntelligence

In a report today, the researchers say that the same UI framework is present across all websites related to Ticket Heist, with only minor variations in content and language making the difference between the fraudulent websites.

Apart from the design of the websites, what stands out in the scheme is the price of the fake tickets offered. QuoIntelligence notes that the prices are inflated compared to the legitimate ones.

“For example, a random event and seat location on the official website could cost less than EUR 100, whereas the same tickets and locations on the fraudulent websites were priced at a minimum of EUR 300, often reaching EUR 1,000” - QuoIntelligence

QuoIntelligence threat researcher Andrei Moldovan told BleepingComputer that while there is no confirmation, the higher prices could be part of a trick to make victims believe they get “premium treatment” for the extra money since the tickets are not available through the official distribution channels.

Alternatively, a higher price could also make victims believe that it’s a scalping operation that takes advantage of the shortage of tickets.

While trying to test their theories about the objective of Ticket Heist and to gather information that could lead to who is behind it, QuoIntelligence attempted a purchase from one of the fraudulent websites.

They found that all transactions are carried out through the Stripe payment processing platform and the money is transferred only when the card has sufficient funds.

This means that the operator’s goal is not to collect credit card information but to steal money from the victim.

Furthermore, this test also revealed the company name VIP Events Team LLC, which was created on November 26, 2021, and is still active but its website has never been indexed by public search engines.

“The domain was registered on the same day the company was formed. There are no mentions of VIP Events Team LLC on Google, social media, TrustPilot, or any other available OSINT sources” - QuoIntelligence

The researchers say that while the company appears to be based in New York, the “contact us” section on ticket-paris24[.]com lists the company behind it as located in Tbilisi, Georgia.

Analyzing the infrastructure behind the Ticket Heist operation, the researchers discovered that all the fraudulent domains were hosted at the same IP address, 179[.]43[.]166[.]54, belonging to a provider is linked to malicious activities by multiple services.

While every website has a unique SSL certificate, QuoIntelligence noticed a pattern in the structure of the domain and unique subdomain names used.

They observed that the subdomains often included jswidget, widget-frame, or widget-api, which, combined with DNS records and common JavaScript files, helped them uncover the entire network of 708 domains.

Every month, the threat actor registered an average of 20 new domains but last November the number recorded a significant increase with 50 new domains being created.

Currently, 98% of the domains linked to Ticket Heist are considered clean of malware by crowdsourced analysis services, which supports the theory that the objective is to steal directly from victims through a legitimate payment service.

Event lures and victims

The Olympic events in Paris were not the only lures in operation Ticket Heist. The fraudsters also tried to lure victims with fake tickets for the UEFA European Championship this year.

QuoIntelligence found multiple English-language websites that offered tickets for the football event.

Ticket Heist website for UEFA EURO 24 Championship
Ticket Heist website for UEFA EURO 24 Championship
source: QuoIntelligence

Additionally, the researchers discovered websites in this fraudulent activity that claimed to sell tickets to music concerts featuring famous bands like Twenty One Pilots, Iron Maiden, Metallica, Rammstein, and musicians (Bruno Mars, Ludovico Einaudi).

In these cases, the researchers say that the fake tickets were for concerts around Moscow and other major cities in Russia.

Although these pages were in English, QuoIntelligence says that most of the Ticket Heist websites were only in Russian, suggesting that Russian-speaking users were the main target of the operation.

Another indicator leading to this conclusion is the presence of contact details using phone numbers from Russian mobile services.

“Obviously, this is not 100% evidence that the intent is to target Russians-speaking individuals, but a lot of indicators and findings are pointing in this direction,” Moldovan told us.

Scam websites claiming to sell tickets for the Olympic Games in Paris have been reported before. The French National Gendarmerie warned last month that it found 338 fraudulent sites, many hosted outside the country.

In a different report, cybersecurity company Proofpoint alerted of such a website being pushed through sponsored search engine results.

On Reddit, a user complained of being scammed after trying to buy a ticket from paris24tickets[.]com.

Although QuoIntelligence couldn’t verify how the transaction was conducted because the website is no longer active, Moldovan says that based on the archived resources, the website was completely different in terms of hosting infrastructure, network configuration, and user interface.

Despite these examples, QuoIntelligence says that the Ticket Heist operation is ongoing and has not been reported in public research, showing that multiple fraudsters are trying to capitalize on the Olympic Games this year.

The threat intelligence company provides a set of indicators of compromise (IoCs) for operation Ticket Heist that the cybersecurity community can use to protect their customers.

Related Articles:

Over a thousand online shops hacked to show fake product listings

FBI: Upcoming U.S. general election fuel multiple fraud schemes

‘Pig butchering’ trading apps found on Google Play, App Store

Fraudsters imprisoned for scamming Apple out of 6,000 iPhones