Learning Social Engineering While Scoring Cheap Tickets

Many times in the social engineering framework we talk about how “Free Pizza” is not really social engineering.  Although, we still hold to that fact, there are some seriously cool things we can learn from people who have the skills to truly obtain free “stuff” and not just tricking people into giving away a free burger.  The following article was submitted by a guest writer on the topic of obtaining free admission to a concert. 

Paying full price for concert tickets is expensive and sneaking in the back door is illegal, so is there a way to get into the  concert at a lower price, and not purchase tickets from a box office/website?

One method used is known as DC or Discount. It is a linear system to gain access to cheap concert tickets. Back in 2001,  I was working for a large transportation company where I met a modest looking  accountant by the name of Stan.  This person had a reputation of being very frugal.  In  fact, he would brag about how instead of buying unsalted pretzels for $1.09, he would  buy salted pretzels for .95 and then spend time knocking off the salt in order to have unsalted pretzels.  He did all of this in the name of saving  money. 

Although Stan was known for being frugal, he loved to see expensive concerts.  His cube walls were adorned with the concert ticket stubs of Celine Dion, Elton John, Bruce Springsteen and Barbra  Streisand.  I remember seeing this and knew instantly something wasn't right.
How could this frugal accountant, who was known as a master miser, drop hundreds of dollars on concert tickets One day I asked him how he did it.  He responded, “I have my  ways” and left it at that. I never asked again; however, we were both laid off from our jobs during the  recession of 2002.  One night while job hunting at my apartment,  my cell phone rang.   It was Stan, and he wanted to go see John Cougar Mellencamp.  
I replied with a bunch of excuses like I really didn't care for his music and the tickets  were way too expensive, with floor seats starting around $75.00.  On top of that, the  concert had been sold out for months in advance, there was no way we could get in. 

He said we could get in and we are not going to pay face value for tickets. Twenty Minutes later we were on our way to the concert.  In the ride over to the concert venue, he gave me a concert seating chart and a  sign that said, “need cheap tickets.”  Once we got there, he told me to approach everyone going into the concert venue and asked them for cheap tickets.  About 1 hour  and 30 dollars later, we had floor seats, listening to the music of John Cougar  Mellencamp.  I was excited to see that we did get into the concert for way less than I ever thought possible.  We continued to go to concerts, and continued to get in for way less that the actual price.  Eventually we created a name and a process for the steps needed to do this.  We called it “Discount” or DC for short and the process was a lot simplier that one may think. 

The Market

Before DC’ing a concert, it is a good idea to see what 'The Market' is like.  The Market is basically how many tickets are listed on websites (like Ebay, Craigslist, and Ticket Express) and what are their prices.  You can also call the box office of the venue to see if there are any tickets available..  Just because a concert is “Sold Out,” doesn’t mean it is.  Sold Out is often a slick marketing term to create artificial scarcity and artificial demand.  Sometimes calling the box office, they'll tell you that so many tickets were just released to the public for purchase.   

If there are a lot of tickets listed on The Market, this means there will be a lot of extra tickets floating around the venue on the day of the show.  If there aren't a lot of tickets listed, it might mean that demand is very high, so there may not be a lot of extra tickets.  If there are any extra tickets, they may be hard to obtain at low-ball price. The only way to be certain is to go to the venue on the day of the show and start talking to people.

Time Is On Your Side. Let's say it’s the month of March and your favorite band, U2, is playing a concert in your city in December.  Much anticipation builds up for the on-sale ticket date; people queue overnight at the box office for tickets.  On the day tickets go on sale, they literally sellout in minutes, leaving many empty handed.  The concert is officially sold out. 

Or is it?  That was March.  As time moves forward, things happen in people's lives where they no longer need that ticket.  The ticket for the boyfriend, who later cheated on his girlfriend, who bought the ticket and now it is freed up to be sold.  

The ticket bought by the person who is behind on their bills and is now forced to sell.  The ticket bought by the traveling business person, now realizes he/she will be out of town...These freed up tickets either show up on websites, or The Market.  Many who are not tech savvy will come down to the concert venue to sell their tickets in person, and explain why they are selling the ticket.  So in reality, the concert really isn't sold out.
 

 

On The Ground

On the Ground refers to going to the concert venue trying to get in.  In my experience, having a team of people is better than going at it alone so that you can have multiple people cover the multiple entrances to the venue.  It is also good to get to the venue before the concert starts.  If the 1st band hits the stage at 7:30 pm, get there by 6:00 pm.  

 People on the team need to have a concert venue seating chart to see where the tickets are when dealing with people who are selling.  It is also good idea to have a cell phone with a headset that frees up your hands to inspect tickets and concert venue seating charts while talking to potential sellers.  The headset can also make it possible to communicate instantly with others on your team.  For example, if a person isn't willing to sell their ticket to you, you can communicate a description of that person to someone else on your team.  Your team member can intercept them, talk to them, and try to wear them down so that they will sell.  And another good idea is to bring a bottle of water, because your voice is going to dry up while talking to all of those people.
 
It may be a good idea to carry the cash you might spend in small bills.  Keep the amount you want to spend for a ticket in one pocket so you can easily say, “I have $30 for that ticket on me right now.”  Then keep a few extra $5’s or $10s in your wallet or another pocket.  This way, if you agree to a higher price, your not pulling out a wad of cash.

Resistance Is Futile

When using DC, the object is to get into the concert under the face value of the concert ticket.  In order to do this, you need to try and talk to everyone going into the concert venue.  In this process, some people may become angry because you are trying to low-ball them on tickets, and may resist or object selling to you for your asking price. Others may accuse you of being a scalper, especially if you start doing this a lot.  

You can reframe this situation in two ways.

The first frame you can use is that you don’t have a lot of money, but you are a serious fan and really want to see the show.  You can use phrases like, “There is no harm in asking.” and “I’m sorry if I offended you.”  Simple one-liners can calm a heated person fast.  It is important to remember to always keep smiling or at least happy.  This will put the seller at ease too.
 
The second frame you can use is to rebut the scalper claim.  Simply and calmly explain that scalpers buy tickets for $10.00 and sell them for a $100, but you just want to get in for something that won’t break your bank.  This can alleviate the worries people have.

Sometimes the people who have extra tickets may not be willing to part with them right away.  Nobody likes to be low-balled; however, time is against them, because they want to dump their ticket quickly and get on with their life.  In this case, communicate to them that you will be outside the concert venue up until a certain point and whatever they do, don't go into the concert venue with the extra ticket, without selling the ticket to you.  The scalpers call this 'eating the ticket' which mean people are going into the concert venue with an unused ticket. Remind them it would be better to go into the venue with x amount of dollars (what you are willing to pay for their ticket), than a worthless ticket. 
 

DC Hazards
When you are dealing directly with people, there will be some risks.  Some of which we have talked about above and can possibly be dealt with by reframing; however, other risks come from those who are also involved in the concert process.

Some of these issues include dealing with local law enforcement, who may accuse you of trying to scalp tickets (especially if there are local laws against this) and it is enforced.  You can always try to reframe the situation as you are a “fan” trying to get in because of lack of money.  If this doesn't work, move to another area around the concert venue and continue doing what you are doing.

Another risk is coming into contact with the ticket scalpers themselves.  They will get upset because you are cutting into their business.  I've had some of them try to get physical with me.  In this case, stand your ground and the best tactic is to move to a location in front of the scalpers. This way, you can intercept people wanting to sell their tickets before the scalpers can get to them.
     
There are also risks when dealing with people you are trying to buy tickets from. Some of them may become a bit emotional.  Remember, they are emotional because you are buying a ticket from them for $20.00, which they paid $100.00 for it.  Again, use the negotiation tactics discussed above.  If you are able to purchase tickets off people and it is assigned seating, it is recommended not to sit next to the people that you bought tickets from, because they may verbally harass you. 
 
One of the patterns I noticed from doing this is that women seem more willing to sell than men..  I've had women help me find and buy tickets, an example of this is a woman brought one of her friends up to me and said something like, “my friend needs to sell her ticket.”  If approaching men to sell tickets, they might yell out, 'get a job you bum,” or “there is no way you are going to get in like this.”
 

To recap:

  • Information Gathering - know what the prices are, where you want to sit, how many tickets are on the market and what they are going for
  • Think of ways to frame your need for a lower cost ticket that isn’t offensive to the sellers
  • Be prepared - cell phones, water, other supplies
  • Try to avoid the scalpers and try to avoid physical confrontation at all costs
  • Don’t be too pushy, but let the seller know that going in with $20-$30 is better than “eating a ticket”
  • Have fun

Chris Miller

An Invasion of Privacy

DISCLAIMER:
This is ABSOLUTELY for informational purposes ONLY. Social Engineer.org is TOTALLY not responsible for how you choose to use this information. 

This month we received a story from a person who was tired of receiving spam from a certain person.  Although this focuses on how to gather real information on real people, we by no means support using this information to harm or harass anyone.

The email that I received was not the run-of-the-mill mallware/ spambot/ whatever style email. The email was coming from his email address, using his business’s name, and advertising his business. I would have never posted this had I any doubt that this may not have actually been sent, by him, in some fashion.

I happened to receive a piece of spam at the exact moment as I was going to start a post about privacy and anonymity on the Internet. I will consider this to be a sign from God that this dude needed to be set straight. Okay, maybe not. I’m not sure what the bible says about spam, but if I were God, it would be into the pits of hell for them. So, since I cannot cast people into eternal suffering in a fiery pit, I will have to settle for second best. Pwnage!

What's even better, none of what I’m about to do is illegal. It’s a serious, serious invasion of privacy, and you definitely don’t want it to happen to you, but all of it can be harvested through public record, social networks, forum posts, etc etc etc.

First, let's take a look at the email that I received.

 ..snip..
Received: from unknown (HELO p3pismtp01-017.prod.phx3.secureserver.net) ([10.6.12.17])
(envelope-sender )
by p3plsmtp09-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for ; 7 May 2010 01:05:53 -0000
X-IronPort-Anti-Spam-Result: AjYCAOP/4kvYI8QXnGdsb2JhbACeChUBAQEBAQgLCAkRIrxZgmCCMwSDQQ
Received: from server299.com ([216.35.196.23])
by p3pismtp01-017.prod.phx3.secureserver.net with ESMTP; 06 May 2010 17:58:47 -0700
Received: (qmail 10509 invoked by uid 3287); 7 May 2010 00:58:46 -0000
Received: from 67.185.122.64
(SquirrelMail authenticated user steve)
by www.barteritemsfortrade.com with HTTP;
..snip..

Ok, so, his email address is steve@barteritemsfortrade.com.. He’s sending email through server299.com.. and his real IP address is 67.185.122.64. All we really need is his email address and his IP. Let's see what we can find.

Non-authoritative answer:
64.122.185.67.in-addr.arpa name = c-67-185-122-64.hsd1.wa.comcast.net.

Now we know that he’s connecting from Washington (wa.comcast.net). Let's see what Geo IP location says. I use this service, but there are many others. I’ve also written a few tools to do this as well, but we’re going to use what the average Joe has access to.

Just put the IP address in the box and hit “search”. Here’s what we find.

Region: Washington
City:  Spokane
Postal code: 99205

So, we’re narrowing it down.. we now know that it’s Spokane, Washington. Now we’re going to take a look at his email address. First, obviously, just google the email address. This will bring up information for virtually anything that the person has ever used their email on. Forums, social networks, etc.

In this case; however, nothing came up on Google. We must dig deeper. Enter, whois!

BIZ TWO, LLC
PO Box 8421
Spokane, Washington 99203
United States

Biz two? Does that mean there is a Biz One and a Biz Three, perhaps? Also, he’s using a PO Box.. blah.

..snip..
Administrative Contact:
Nicholas, Steve steve@bestimpressionz.com
..snip..
(509) 283-7030 Fax — (509) 456-3813
..snip..

Jackpot! We now have a last name and a phone number. We also have an additional email address/domain.

Administrative Contact:
Your Logo Here snicho@juno.com
139 west 30th Avenue
Spokane, WA 99203
US
509-456-3813 fax: 509-456-3813

Hmm.. a real address.. no PO box on this domain. Is that an office? A house? Is it his house? I can assume that ’snicho’ is short for ’steve nicholas’, and it’s the administrative contact, which means he owns the domain.. so the address has something to do with him.

Enter.. Google Maps.

Enter Google Map Fu

Well, it’s definitely not an office building, so at this point I’m going to assume that it’s his house until I find out differently. We can further verify this by googling his name + city + state.

That address looks rather familiar… oh yeah, it’s the address that was associated with his domain. We can be virtually certain at this point that that is his real address and house. Lets see who else lives in the house with him – just google the phone number listed.

Ok, so, Nancy has the same last name as Steve, so I think we can safely say that this is his wife.

We’ll come back to her later. Let's see what else we can find about Steve.. I’m really starting to feel like family at this point. 

Back when I googled his name + city + state, I noticed that below the address result, there was a LinkedIn page.

Ok, so there’s all sorts of useful information.. but I found another email address.. steve.nicholas@itex.net Not often do I meet someone with as many email addresses as me.. lol.

So, back up to the top, we google for steve.nicholas@itex.net.

Some interesting stuff, but nothing really useful for my purposes. Checking out Facebook we will see if he’s a social butterfly. I log in and “search for friends” and enter his email address(es). His account is registered with the itex.net email address.

He doesn’t have his Facebook stuff set to private, so he’s kind of letting it all hang out. Thanks, Steve!

Yawn. The only thing interesting there, is that we’ve now definitely verified that that address is correct and that his wife’s name is definitely Nancy. Maybe her page is more interesting.

Note: Passwords.. by building a profile of someone, you begin to get a feel of who they really are. I’m willing to bet that at least one of Steve’s passwords has something to do with fishing, trout, or cutthroats (type of trout – according to his facebook page).

Nancy’s Facebook:

I teach 7th & 8th graders at Salk Middle School in Spokane WA. I married Steve 27 years ago and we have 2 daughters, Susanne and Rachael. Susanne married Dan Wadkins 2 years ago and they are expecting their first child in March. Dan is an attorney and Susanne is a special education teacher. Rachael is living in Las Vegas where she teaches special education to preschoolers and kindergarten. We have an awesome family!!!!

Here’s something to take a mental note of. Women are generally more open about their personal lives and love to share with others. In one paragraph, we learn that she teaches at Salk Middle School, they’ve been married for 27 years, they have 2 daughters, Susanne and Rachael, Susanne is married to Dan Wadkins (note – this probably means that Susanne is no longer Susanne Nicholas, she’s probably Susanne Wadkins). Rachael lives in Vegas.

How ever would we find out more information about Susanne and Rachael? Oh yeah, friends lists. If the parents have Facebook, the kids most certainly have Facebook.. and barring any family drama, they’ll all be on each others friends lists. And, of course, I’m right.. found Rachael, Dan, and Susanne.

Also, going through her wall posts gave up some information. They’re new grandparents.. their granddaughter Lola was born on March 15th.. this was Dan and Susanne’s daughter.

What does Intelius says about Nancy (note – I skipped Steve on Intelius because his entry is all screwed up.)

Now we have ages, too. It’s interesting that there’s a “Ralph Steve Nicholas” listed, who has the same age as the other two Steve’s listed. Could Steve’s real name be Ralph??

Just about every county in the country allows you to view property tax records on the internet. I googled “spokane washington property tax records”. What you’re looking for is the assessor’s home page then just punch in the address and you can find a wealth of information.

What this record tells us, is that Nancy actually owns the home.. Steve isn’t even listed. She’s also the sole person listed paying the property taxes. Interesting.. I wonder why?

Also, further down on the report, there’s two documents. A quit claim deed, and a statutory warranty deed. A warranty deed is issued in some states when a house is sold. It protects the buyer from having third parties come after them for unpaid debts and whatever. So, it appears as though they bought the house in 2001 for $110,000? Seems awfully low.

Now, lets look at the quit claim deed. First thing I notice, R Steve Nicholas is listed as “Husband of Grantee” I think Steve’s real name is Ralph. lol.

This is interesting.. quit claim deeds are used after a divorce to switch the owner of a property from one party to another at the county level. But they’re still married. The other times that I’ve seen quit claim deeds used is when people encounter serious financial trouble and need to file bankruptcy. They file independently and deed the house to their spouse.

I am not going to tell you what service I use to obtain this information because I don’t want it to get abused and taken away. Also, I don’t think everyone should have access to it. SO.

91-40727 Ralph Steven Nicholas and Nancy Lynn Nicholas
Case type: bk Chapter: 7 Asset: No Vol: v Judge: John C. Minahan Jr.
Date filed: 05/08/1991 Date of last filing: 02/11/1993
Date terminated: 02/11/1993

Ok, so they did a joint bankruptcy in ‘91 and it was discharged in ‘93. I also have a list of their creditors.. no wonder they filed bankruptcy. Ouch.

One other piece of information that this offers, is previous addresses and the last 4 digits of their social security numbers. Keep in mind, a lot of people use the last 4 digits of their social for pin numbers.. because most pin numbers are limited to 4 digits. Stupid.

UPDATE: I’ve decided to X out the social security numbers because this post is starting to receive a ton of traffic and I’m not sure I want everyone visiting it to have this information. My intention of this article is not to make it easy to steal this guys identity.. it’s to point out a vulnerability. If you really want to find his social security number, it’s available via the internet. 

Debtor
Ralph Steven Nicholas
6747 Crooked Creek Dr.
Lincoln, NE 68516
SSN / ITIN: xxx-xx-xxxx

Debtor
Nancy Lynn Nicholas
6747 Crooked Creek Dr.
Lincoln, NE 68516
SSN / ITIN: xxx-xx-xxxx

Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.

Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.

I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dog's name was, or where you went to school?

Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.

In closing.. you really need to pay close attention to what you’re posting on the internet. If I were a douche, I could ruin this guy's life using this information. There are a lot of douches out there that are doing this type of stuff right now. Given an email address, phone number, or whatever, they build profiles on people which can be used to exploit them and steal identities.

The other thing that I’ve actually fallen victim to, is the speed of Google’s spiders and the fact that they index Craigslist. Let's say you run a business.. Catholic Charities R Us and in this post, you include an email address, phone number, something. Lets say you also make a post, days, weeks, whatever, later looking for whores, or something. Both of those posts will come up when Googling for your phone number.

Also, consider what you’re sending in this email. What if this guy had sent me an email trying to extort me, threaten me, whatever? I could turn this over to the authorities and they’d have their work cut out for them.

Not to try to scare people too much, but think about single women in the dating scene. They make a post somewhere with their email address and someone comes across it and is able to determine the same amount of information about them as what I did above? What if that person was more interested in something other than identity theft?

I think you get the idea.. essentially.. guard your personal information with your life. Never post your phone number on the internet (unless you’re using a proxy number, which is what I do), and make sure no personal information is associated with your email address before you go firing off emails to strangers.
 

Written by Matt at matt@attackvector.org