Unmasking cheaters on Facebook votes-based contests
During the recent weeks i see that there is a trend on the Moroccan Web community about Maroc Web Awards, so I took a look on the leaderboard of some of its categories, but i noticed that there is something suspicious with the ongoing votes over there ...
As any Facebook votes-based contest, there is always some predators (aka. Cheaters) looking to get the prize with the easiest and the trickiest way possible ... It might be a trophy (social status), a smartphone or even holidays to some nice places (Yeah, If you are reading this M.T. i know how you cheated on other contests).
Well, a big part of those cheaters are a bit tech-savvy, most of them are script-kiddies, but they know how to trick the votes system just by using "valid" credentials and Facebook accounts to get ahead on the leaderboard.
I checked some of local social contests, and of course i debugged with one of my friends (C.G.M), and we managed to get that you can easily trick the system by just using a simple HTTP requests replay attack.
My small experience i had with managing and monitoring votes of a middle sized Facebook contest helped me to know how cheaters think (well, at least the ones who participated at this contest), and most importantly to learn how to stop them from getting their undeserved prizes ... so, if you are interested to join the Justice League, please feel free to follow my recommendations (Unfortunately i can't mention all of them publicly ...):
- Track every single vote separately
Just for analysis purposes, see Votes Analysis.
- Votes must be protected with a Facebook App to check the identity of the user
By using a Facebook App you are forcing the user to be connected to his Facebook account in order to ensure that the vote came from a "trusted" Facebook user with a token validation of course.
- Protect vote requests with CSRF Tokens or just a simple NONCE authentication
It might be an optional step if you trust the design of your system enough, but you can add it in order to avoid the replay HTTP attacks and "stolen" votes from other users. [Read more: Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet]
- Don't base your votes only on Facebook likes
If you would like to wake up with a Facebook notice message on your Facebook developer's inbox which tells you that your app is suspended (if you are lucky enough, your account as well), then you can go with Facebook likes, otherwise i really recommend you to separate the votes completely from Facebook and use your own voting system so you can customize it with your own needs and requirements and also to have the ability to study and analyse votes as well to detect any unusual behaviour.
- Retrieve maximum information about the voter (You should mention this in your Participation Terms and Conditions)
You can get the name, the country and city of origin of the voter in order to strengthen your assumptions and have valid proofs about those cheaters.
You can also get the browser's properties and also other detailed informations (I can't mention all of them here unfortunately :\ ).
- Voter informations must be retrieved on the server, not send with the vote request:
It's just a dumb thing to mention or to tell good developers about, but unfortunately i saw it on a popular local brand Facebook's contest ... I thought maybe it's not a big deal to tell people who aren't aware of this to change their thinking ... or maybe even their job if they are experienced and do this mistake ...
Votes Analysis
The measures i mentioned above are just our first line of defence to eliminate major threats, the big work to detect and the accuracy of our investigations depends on the processes that we will define:
1 - Spot the potential cheaters:
If you notice the gap between the first 1-6 participants and the others on the leaderboard is huge, especially after a short amount of time, this is a red flag that you need to check and start your investigation.
2 - Check the origin country of the voter [Facebook's origin vs IP's origin]:
One of the main reason to do this is to check if the users who votes for a specific user (or any other related entities - Song, Picture etc ...) are really within the geographical scope of the targeted audience of the contest and also if their votes origins (IP) really match their Facebook country of origin.
Most cheaters use low value accounts from India, Pakistan, Malaysia or other countries that don't necessary match the geographical target of the contest.
3 - Study and analyse the behaviour of the voters
Some of those cheaters use keyloggers (or other techniques) to collect passwords of a specific targeted audience (ex: Morocco) and automate the process of voting by using tools that are already available online, you can use Captchas to avoid this, but unfortunately they can be bypassed as well, but you will make it harder for your users from a UX perspective and also for the cheaters from the technical part.
In order to detect those kind of unusual behaviours you might notice a small (or static) time delta between votes during some peak periods, multiple votes coming from the same origin IP to the same user, repetitive browser's properties etc ... All those signs will push you to start cleaning up your competition.
4 - Compare previous banned users with potential cheaters
Just analysing behaviour might not always give clear results to make a decision you are 100% sure about, especially if you came across a smart guy, but you will always find some missed areas he didn't think about.
For example, you can use some Social Network Analysis to get a clearer view about the votes you can't detect easily by just reading metrics:
As you can see, this graph represents the votes made during the whole contest, who voted whom, and a constructed view about the network, communities involved etc ...
What pushed me to use this methodology is that I suspected the behaviour of a user, after investigating his voters, i couldn't catch any rightful proof about him from the usual checking, even if there were some fraudulent votes based on the criteria i defined before, but not big enough to use them as a legit proof ...
So I decided to generate the graph using Gephi (Visualisation Software), and TADAA ! : The voters who voted this guy already voted two previously banned users ...
This is just a small example on how you can use SNA in fraud detection for example, even though i believe that there is some other ways and techniques i'm not aware of, if you have any insights about them, maybe you can suggest them in the comment section or give me a hint on my e-mail [email protected]
.
I will talk more about subjects that involve Social Network Analysis in some of my upcoming posts Expand your LinkedIn network in a Smart Way, feel free if you have any ideas or topics that could involve it.