Home » Featured » Detecting Fraud in Facebook Contests
Detecting Fraud in Facebook Contests

Detecting Fraud in Facebook Contests

Whatever your feelings on Facebook, it’s pretty clear that it’s here to stay. If your company or organization has considered running a promotional Facebook contest, this is crash course in detecting fraud because if your prize is worth anything to anyone, you will encounter fraud, without exception.


I am not going to specifically address the topic of scripted attacks (such as click-jacking, like-jacking, using tools like Selenium, etc) used to game contests. There are just too many variations, and frankly, many of the data analysis concepts here would apply to that scenario as well.

Understand that I Am Not a Lawyer, and am NOT giving you legal advice here. The intended audience for this article is application developers, database architects and product directors, as we discuss some fundamental concepts that must be integrated into your contest application before even a single line of code is written. Many of these concepts can be applied to non-Facebook online contests, but some are Facebook specific.

Also, if you got to this article because you’re trying to learn how to game a Facebook contest, please die in a fucking fire. You are a useless piece of shit, and people like you are what is wrong with the world.

First things first, and a little bit off-topic, if you’re planning on creating a Facebook contest, be sure your contest abides by Facebook’s promotional policy guidelines. They’re a pretty quick read, but failing to read them before deploying a contest on Facebook may result in Facebook disabling your contest for policy violation. You can (and should) read the whole set of guidelines here, but since we’re about to discuss planning your contest app, the ones you really need to be mindful of are:

  1. You must not use Facebook features or functionality as a promotion’s registration or entry mechanism. For example, the act of liking a Page or checking in to a Place cannot automatically register or enter a promotion participant.
  2. You must not condition registration or entry upon the user taking any action using any Facebook features or functionality other than liking a Page, checking in to a Place, or connecting to your app. For example, you must not condition registration or entry upon the user liking a Wall post, or commenting or uploading a photo on a Wall.
  3. You must not use Facebook features or functionality, such as the Like button, as a voting mechanism for a promotion.
  4. You must not notify winners through Facebook, such as through Facebook messages, chat, or posts on profiles (timelines) or Pages.

Basically, this means that you can’t use any of the native Facebook platform tools as voting or winning mechanics. You can like-gate an app, requiring the user to like an app or page before being shown the contest sign-up form, but you cannot use the act of liking the app or page as the registration itself. You cannot award points or incentives on a Facebook share, but you CAN award points or incent the conversion. So if your app lets me invite people to your app, you can award me points for every one of my friends that allows the app and participates, but you cannot award me points based on how many people I invite that do not convert to app users or clickthroughs or what have you.

There’s a little bit of nuance to it, but the general rule is just to avoid using the platform for stuff that determines who wins or loses, period. That part has nothing specifically to do with gaming a Facebook contest (or the prevention of gaming a Facebook contest), but it’s pretty important, and will influence some pretty core mechanics in your contest, so don’t gloss over them.

Rule #1 of running a contest: LOG EVERYTHING

Log absolutely everything possible. Require that the user is logged in, and always log their FBID *and* their IP address. Your legal counsel will thank you for it.

You need to be able to run an audit on every action related to potential winning or losing of the contest for your own liability, but also because it is the foundation of putting yourself in a good spot to detect suspicious or fraudulent activity. Seriously.

If ass-wiping influences the contest outcome, you had better be logging every single time the user wipes their ass, complete with IP address, user agent, timestamp, and anything else you can think of that would be specific to that action+session combination. I simply cannot emphasize this enough.

Without extensive logging, you will be left absolutely helpless when a user (or their lawyer) challenges your winner decisions, or when other users claim a specific user is cheating.

Make sure your web server is logging access correctly as well. You may need to correlate your Apache access log to a specific transaction and IP address as well. Test this before your app goes live.

As you analyse your logs, look for inconsistencies in user agent and/or IP address. If their user agent is logged as “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7″ in one log entry and “Mozilla/5.0 (Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7″ in the next, something is up. The differences between those two user agent strings is subtle, but it’s there, and there is no legitimate reason for it to change from action to action in the same session.

Rule #2: Get their email address

It seems intrusive, but if your loot is decent, people won’t mind giving it to you. Once they have allowed your application and granted you email permission through the app allow dialog, you can pre-populate the email address field so they don’t even have to type anything in. You’ll need their email address anyway, to notify them if they won, since Facebook doesn’t allow you to use FB Messages to do that.

You want their email address because users creating fake Facebook profiles (each of which requires a unique email address) to generate bogus votes/points/whatever will generally not be terribly creative (or may be using an automated script or service to do it), so you can use the email addresses as a way to detect patterns in participating users that could imply fraudulent activity. If you see 100 new entries, all with the email pattern of [email protected], there’s an excellent chance that those entries are bogus.

Brace yourself for the truth

The cost of winning a Facebook contest by cheating is much lower than you probably imagine – and unsurprisingly, there are businesses online that exist for the sole purpose of helping people win online contests. Right now, on a casual Google search, I can find services that will sell me 10 PVA (Phone Verified Account) Facebook accounts for $20. I can buy 100 non-PVA Facebook accounts for $20, if I think the contest won’t do that much checking for fraudulent activity. If you do a search for “facebook contest” on sites like freelancers and microworkers (I will not link to them), you’ll find hundreds of people with Facebook accounts just itching to get paid to help your potential contestants game your contest.

If you’re giving away a trip worth $3,000 and because of the number of participants, it would cost me $20 to win your contest, you are *going* to get gamed. My risk-to-reward-ratio is just too good for me not to do it. I spend $20 and I get $3,000 worth of prizes? Hell yeah.

In one investigation I performed, I saw bids of $30 accepted for people to get 200 people (real people or fake-but-look-real accounts) to vote x times. That means each one of those Facebook accounts is worth $0.15 to the person renting them out. Consider creating accounts at these microjob sites before your contest is over and check it for openings related to your contest.

Additionally, since there are people and services out there that have created Facebook profiles for exactly this purpose, you can’t rely on Facebook profile creation date as a reliable measure. Many of the fraudulent accounts I’ve come across have been around for over a year prior to the contest. They’re also smart enough to make sure these profiles have friends that look legitimate, so it won’t be as easy as looking for FB accounts that are new and have no friend connections.

It gets worse. There are also online sites that encourage users to do like/vote exchanges. “Vote for me for blah, and I’ll vote for you.” This method tends to be slower than simply buying accounts, but it’s also free. Search Facebook for terms like “vote exchange” and you’ll find pages and groups for the sole purpose of gaming contests.

It’s up to you to decide whether a vote/contest exchange falls under your definition of cheating. It absolutely does in my book, but it really depends on how your contest works. Either way, you need to set the definitions of what exactly qualifies as cheating before your contest even starts, because you’re going to run into more gray areas than you probably would have thought.

Rule #3: NOTHING GETS DELETED. EVER.

If users can submit content as part of the contest, make sure you architect your application in such a way that nothing ever gets deleted, either by moderator or by the users themselves. Instead use a database flag to toggle visibility in the app. Log the deletion (timestamp, IP, user agent, who took the action, etc) and tuck it away, but never, ever delete the data.

Doing so insulates you from users saying “I didn’t delete it!” You will have proof that they did, including all the particulars such as what browser they were using and when. This also allows you to recover from content that is accidentally deleted by a moderator. If “deleting” content is simply toggling that boolean database field, it’s easy to toggle it back on if it gets toggled off by mistake.

Rule #4: Know what counts as cheating up-front

This sounds like a no-brainer. Cheating is cheating, right? But if someone didn’t actually pay for votes, and did a vote exchange or spammed forums and Facebook groups to get votes from people who don’t actually care about the program, is that cheating?

What if the Facebook account that’s participating is “real”, but the person only ever uses it for entering contests? Is that a legitimate user to you, or a cheater? You should figure that out ahead of time.

It’s going to be your choice as to what level of detail you disclose your policies on cheating. My recommendation is to be a little vague. While this goes against my standard policy of transparency in everything, if you give the bad guys an explicit set of rules on how you define cheating, they will be sure to tailor their cheating to specifically avoid the things you outline. If you tell me (as a bad guy) that my votes will be disqualified if too many votes come in from the same IP address, I will be sure to use different IP addresses for each vote to make sure I avoid your detection.

Rule #4: Audit, audit, audit and audit some more

Auditing by eyeball isn’t really going to cut it, but if it’s all you’ve got, it’s better than nothing. A better idea would be to set up a series of heuristics programmatically that flag user activity as being suspicious and requiring additional review. Things like the number of unique users coming from a specific IP address, the time of day that you see the most activity, the kinds of email addresses you see associated with the participating users, etc.

Look for patterns that don’t make sense. Examine the Facebook pages of the folks you suspect of cheating. Do they have any wall posts? Any photos? Do they have friends? Click on their friends profiles – do their profiles also have no wall posts and no photos? Look for generic “hot babe” profile photos. Look at the pages and topics the user has “liked”. Do they seem a little too demographically on-point, as if they were created to appeal to a specific contest demographic? Is there a pattern in the things they’re liking? (All contest pages, etc.) This part can’t be automated.

Give yourself the time between the end of the contest and the announcement of the winner to be thorough and audit all of your top contenders. Hold off notifying anyone that they won until you’ve had a chance to comb through this data and you feel confident that it’s legitimate.

You have a cheater. Now what?

When you find someone cheating, how are you going to handle it? Revoke their points/votes/etc? Disqualify them? Whatever your decision, know what you’re going to say to them in advance, because if the stakes are high enough, there’s a good chance they will be loud and public about how you wronged them. Once again I advise not showing too much of your hand.

If you decide to confront them and allow them to offer explanations, hold specifics back. If you user claims, for example, that they got most of their votes from their friends at a high school using their own computer (which would explain the same IP address), but the timestamps on the votes are at 1AM, 2AM, etc, that should raise some eyebrows. If you tell them too much about what you’re basing your decision on, a decent cheater will come up with excuses to explain them that they would have mentioned earlier if the story was legitimate.

It’s rare to find a smoking gun in these cases. Instead, it’s going to require a some judgement calls and a preponderance of evidence. It’s very like you won’t find *one* thing that makes you *sure* someone is cheating. Instead you’ll find a half-dozen things that, when combined, form an equation that just doesn’t add up.

One option, upon finding a cheater, is to disqualify just the votes that seem fraudulent. In the case of a contest where the user submits an entry and other people vote on it to determine a winner, be cautious of disqualifying the entry based on fraudulent activity. Knowing how inexpensive it is to buy Facebook profiles, if I were a particularly bad guy who had also submitted an entry, I might consider spending some money to game my opponent’s entry in a way that was obviously fraudulent to get their entry disqualified.

If I knew you would kick anyone out if you detected any fraudulent behavior on their entry, I might go out of my way to make sure you found some on the other guy’s entry to increase my chances of winning by kicking them out of the running. This technique, similar to joe jobbing in the spam world, isn’t one I’ve seen often, but it’s only a matter of time.

Make a decision and be prepared to stick with it. Feel confident that your decision was the right one, and don’t back down. The bad PR from the folks you disqualify will be better than the bad PR from the rest of the contestants claiming that your contest is rigged or allowed fraud. Your legal department will make sure you have a TOS that basically says that you don’t owe anyone an explanation, and it’s up to your discretion to disqualify anyone for any reason.

Running a (good) contest is an incredibly laborious process. The technical aspects of creating the app are honestly the least complicated, least time-consuming part of the whole thing. Make sure you have the appropriate resources to handle it. If you half-ass it, you will regret it.

Nailed it.

Not quite. Honestly, there is almost no fool-proof way of detecting all fraud activities – partly because some of this fraud is being conducted by actual people, not machines. They’ve invested the time into creating profiles that look real.

You’ll be able to find the ones that do a crap job of it, but a few of the more sophisticated folks will have profiles that have current wall posts about things other than contest spamming. They’ll have photos uploaded, lots of friends, and profiles that weren’t recently created. Fortunately for you, those kinds of profiles tend to be more expensive to buy, since they require more work to upkeep to look legitimate.

Maintaining believability in a friend network that large requires a lot of time, so examining the friend profiles associated with your top contestants is absolutely critical. If you poke around enough, you’re bound to find something that doesn’t fit. Examining their entire footprint on the social graph will give you a much clearer picture than a specific profile.

Advertisement

Site5

Advertisement

468x60_makemoney

flattr this!

About snipe

I’m a tech geek/dev/infosec-nerd/scuba diver/blacksmith/sword-fighter/crime fighter/ENTP/warcrafter/activist, and the former CTO and CSO at a business innovation agency in New York City. Tweet at me @snipeyhead or read more...
  • Anonymous

    This is an exceptionally well-written article that applies to absolutely nothing I do on the internet, but I enjoyed it none the less.

    • Biggsfoots

      Exceptional! I too have been fighting my battle against vote cheaters in my country.

  • http://super-lucky.blogspot.com/ Superlucky Di

    Perfect! I’ve been waiting for someone to write a post on this topic for ages, simply because I don’t know enough geeky stuff to do it myself! Here in the UK we have a lot of problems with cheating – and cheats are regularly winning big prizes in voting contests here. Promoters are very naive and don’t understand that entrants WILL use fake profiles and swap/buy hundreds or thousands of votes to win a prize. Your advice is spot on, thanks!

  • alexgogan

    Thanks for this article, brilliant, clear and insightful, now just have to subscribe for more (BTW) just love the compete social media douchbag, that’s what brought me here, but then you already know this >:¬}

  • Hockenstock

    I never ever enter voting contests, even if it’s a great prize, because I assume it’s so easy for a few to ruin it for all. After reading this, it just reinforces my view. Honestly, holding a contest seems more trouble than it’s worth compared to a legitimate random pick.

  • ctraynor

    Yeah, good article but you’re such a dick for starting it out with those “may you die in a fire” and “useless piece of shit” lines. You’re a decent writer – you made that clear but what a lazy and horribly insensitive way to start an article like this. First, the type of person that would wish that someone dies in a fire is EXACTLY the kind of person who would read your article with the hope of learning some new and better way to cheat at a Facebook contest. Secondly, do you know that there are literally thousands of people on the internet right this instant who have lost a loved one in a fire or, perhaps they themselves have been burned terribly in a fire. Either way, those are traumatic memories that you just trod all over, Mohawk Poser Joe. The world WOULD BE better if cheaters stopped fucking cheating. It would also be a better place without insensitive goat-fuckers like you.

    • http://www.snipe.net snipe

      First of all, you’re so welcome for all the good info. I assume you forgot to thank me, in your fervor to chastise me for wishing that *bad* people die in a horrible way. Appreciate your concern-trolling, but I’m pretty sure the answer to insensitivity isn’t calling the insensitive one a goat-fucker. Do you have any idea how many goats have been fucked without consent? The amount of trauma they have suffered, and yet you trod all over those horrible memories. Nice job, AOL guy.

      Security through obscurity isn’t security at all. I didn’t give the bad guys any ideas they didn’t already have with this post, because they have a lot more time to come up with bullshit ways to cheat the system. And I stand by what I said. I actually, literally want people who cheat to die in a fire. If you don’t like it, you’re welcome to to join them.

  • Anonymous2009

    I’m so happy that you posted this. My fiancee and I entered our first contest together and found out that there was “voting” involved. We bugged our families, friends, and even high school friends to vote for us. It’s a daily vote contest. After a week or two we made it up to 500 votes. Our video was pretty good so we got some outside votes ( i think). A day later someone put a video in and in a matter of hours they were up to 90. It seemed, over the next few days and week, that each night at the exact same time, every refresh of the page the person got one more vote.We timed it. Every 30-45 seconds there was a new vote. .When we woke up in the morning they got over 100. We thought friends and family, but honestly I don’t know who at 3 or 4 in the morning every weekday is going to say “oh I forgot to vote for [insert name] might as well do it.I mean who cares about work, lets vote.” During the day there weren’t any votes, not one. But between 8 p.m. and 4.p.m..hundreds. I’m so glad you’ve posted this. This will be the LAST voting contest I enter with my partner because I’m not staying up till 3 in the morning to ask my friends to vote for me. And yes the person with the spiking votes is in the same time zone as I am, so there isn’t a time change.

    Keep writing these posts!

  • Disheartened Contestant

    I just got finished with a recipe contest sponsored by a local casino. The voting was through Facebook. My family and I literally worked out butts of getting votes all week and keeping ahead of the competition by at least 10 every day, til the final day. That’s when the fiasco started. I noticed the contestant in 2nd place got a ridiculous amount of votes in 10 minutes. Knowing how difficult it is just to get a few votes I decided to investigate her page. There it was. She was a member of numerous sweepstakes/contests groups. I clicked on a couple of the other group members and found her recipe being promoted by someone. Feeling deflating, knowing I couldn’t compete with such we turned to some comic relief. I failed to mention this chicks recipe was a smashed potato. This contest was for $250, 10 buffet vouchers, a meeting with the executive chef and your dish on the buffet. Only 9 people entered. Can you imagine her meeting the chef….well, you bake the potato and smash it! My boyfriend made a few memes about potatoes. Of course this opponent was checking out my page and saw this. The war began. A ‘friend’ of hers put the word out that we were picking on her recipe. I got called an a@#hole and a sh@# talker on his page which also included my photo and information. Soon they were ahead by 50. I made a plea on the casinos page for votes and telling a bit of the story. Then her sweepstakes buddies started in on me, making comments. The contest ended at midnight. At 11:50 I see a comment from the jerk who posted me on his page saying I was the one who bought votes because mine were going up. I looked and my votes were jumping by leaps and bounds. By midnight we tied and it ended. I’m positive the casino did this to avoid more issues. One of the comments a guy wrote on my entry even stated that “so and so has over 1000 friends who vote for each other daily, so get a grip.” Proof! I get the email from the casino about my prize. It said after contacting the Illinois Gaming Board they have decided to make us split the $250 but we both get the other prizes. There was a scolding at the end of the email. Saying how both parties were disrespectful. And that they found no evidence of cheating going on. I’m trying to get over this, but I can stand the lack of justice in this situation. So people don’t consider vote sharing cheating is what I’m learning. So sad. I find it highly unethical, unfair and yes, a form of cheating. I will never enter another voting online contest again. These people are like a cult and think they’re doing no wrong. I’m still deciding if I want to fight the point with the casino. There was nothing stated in the rules that the money was to be split if a tie. Thoughts?