Detecting Fraud in Facebook Contests
Whatever your feelings on Facebook, it’s pretty clear that it’s here to stay. If your company or organization has considered running a promotional Facebook contest, this is crash course in detecting fraud because if your prize is worth anything to anyone, you will encounter fraud, without exception.
I am not going to specifically address the topic of scripted attacks (such as click-jacking, like-jacking, using tools like Selenium, etc) used to game contests. There are just too many variations, and frankly, many of the data analysis concepts here would apply to that scenario as well.
Understand that I Am Not a Lawyer, and am NOT giving you legal advice here. The intended audience for this article is application developers, database architects and product directors, as we discuss some fundamental concepts that must be integrated into your contest application before even a single line of code is written. Many of these concepts can be applied to non-Facebook online contests, but some are Facebook specific.
Also, if you got to this article because you’re trying to learn how to game a Facebook contest, please die in a fucking fire. You are a useless piece of shit, and people like you are what is wrong with the world.
First things first, and a little bit off-topic, if you’re planning on creating a Facebook contest, be sure your contest abides by Facebook’s promotional policy guidelines. They’re a pretty quick read, but failing to read them before deploying a contest on Facebook may result in Facebook disabling your contest for policy violation. You can (and should) read the whole set of guidelines here, but since we’re about to discuss planning your contest app, the ones you really need to be mindful of are:
- You must not use Facebook features or functionality as a promotion’s registration or entry mechanism. For example, the act of liking a Page or checking in to a Place cannot automatically register or enter a promotion participant.
- You must not condition registration or entry upon the user taking any action using any Facebook features or functionality other than liking a Page, checking in to a Place, or connecting to your app. For example, you must not condition registration or entry upon the user liking a Wall post, or commenting or uploading a photo on a Wall.
- You must not use Facebook features or functionality, such as the Like button, as a voting mechanism for a promotion.
- You must not notify winners through Facebook, such as through Facebook messages, chat, or posts on profiles (timelines) or Pages.
Basically, this means that you can’t use any of the native Facebook platform tools as voting or winning mechanics. You can like-gate an app, requiring the user to like an app or page before being shown the contest sign-up form, but you cannot use the act of liking the app or page as the registration itself. You cannot award points or incentives on a Facebook share, but you CAN award points or incent the conversion. So if your app lets me invite people to your app, you can award me points for every one of my friends that allows the app and participates, but you cannot award me points based on how many people I invite that do not convert to app users or clickthroughs or what have you.
There’s a little bit of nuance to it, but the general rule is just to avoid using the platform for stuff that determines who wins or loses, period. That part has nothing specifically to do with gaming a Facebook contest (or the prevention of gaming a Facebook contest), but it’s pretty important, and will influence some pretty core mechanics in your contest, so don’t gloss over them.
Rule #1 of running a contest: LOG EVERYTHING
Log absolutely everything possible. Require that the user is logged in, and always log their FBID *and* their IP address. Your legal counsel will thank you for it.
You need to be able to run an audit on every action related to potential winning or losing of the contest for your own liability, but also because it is the foundation of putting yourself in a good spot to detect suspicious or fraudulent activity. Seriously.
If ass-wiping influences the contest outcome, you had better be logging every single time the user wipes their ass, complete with IP address, user agent, timestamp, and anything else you can think of that would be specific to that action+session combination. I simply cannot emphasize this enough.
Without extensive logging, you will be left absolutely helpless when a user (or their lawyer) challenges your winner decisions, or when other users claim a specific user is cheating.
Make sure your web server is logging access correctly as well. You may need to correlate your Apache access log to a specific transaction and IP address as well. Test this before your app goes live.
As you analyse your logs, look for inconsistencies in user agent and/or IP address. If their user agent is logged as “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7” in one log entry and “Mozilla/5.0 (Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7” in the next, something is up. The differences between those two user agent strings is subtle, but it’s there, and there is no legitimate reason for it to change from action to action in the same session.
Rule #2: Get their email address
It seems intrusive, but if your loot is decent, people won’t mind giving it to you. Once they have allowed your application and granted you email permission through the app allow dialog, you can pre-populate the email address field so they don’t even have to type anything in. You’ll need their email address anyway, to notify them if they won, since Facebook doesn’t allow you to use FB Messages to do that.
You want their email address because users creating fake Facebook profiles (each of which requires a unique email address) to generate bogus votes/points/whatever will generally not be terribly creative (or may be using an automated script or service to do it), so you can use the email addresses as a way to detect patterns in participating users that could imply fraudulent activity. If you see 100 new entries, all with the email pattern of email@example.com, there’s an excellent chance that those entries are bogus.
Brace yourself for the truth
The cost of winning a Facebook contest by cheating is much lower than you probably imagine – and unsurprisingly, there are businesses online that exist for the sole purpose of helping people win online contests. Right now, on a casual Google search, I can find services that will sell me 10 PVA (Phone Verified Account) Facebook accounts for $20. I can buy 100 non-PVA Facebook accounts for $20, if I think the contest won’t do that much checking for fraudulent activity. If you do a search for “facebook contest” on sites like freelancers and microworkers (I will not link to them), you’ll find hundreds of people with Facebook accounts just itching to get paid to help your potential contestants game your contest.
If you’re giving away a trip worth $3,000 and because of the number of participants, it would cost me $20 to win your contest, you are *going* to get gamed. My risk-to-reward-ratio is just too good for me not to do it. I spend $20 and I get $3,000 worth of prizes? Hell yeah.
In one investigation I performed, I saw bids of $30 accepted for people to get 200 people (real people or fake-but-look-real accounts) to vote x times. That means each one of those Facebook accounts is worth $0.15 to the person renting them out. Consider creating accounts at these microjob sites before your contest is over and check it for openings related to your contest.
Additionally, since there are people and services out there that have created Facebook profiles for exactly this purpose, you can’t rely on Facebook profile creation date as a reliable measure. Many of the fraudulent accounts I’ve come across have been around for over a year prior to the contest. They’re also smart enough to make sure these profiles have friends that look legitimate, so it won’t be as easy as looking for FB accounts that are new and have no friend connections.
It gets worse. There are also online sites that encourage users to do like/vote exchanges. “Vote for me for blah, and I’ll vote for you.” This method tends to be slower than simply buying accounts, but it’s also free. Search Facebook for terms like “vote exchange” and you’ll find pages and groups for the sole purpose of gaming contests.
It’s up to you to decide whether a vote/contest exchange falls under your definition of cheating. It absolutely does in my book, but it really depends on how your contest works. Either way, you need to set the definitions of what exactly qualifies as cheating before your contest even starts, because you’re going to run into more gray areas than you probably would have thought.
Rule #3: NOTHING GETS DELETED. EVER.
If users can submit content as part of the contest, make sure you architect your application in such a way that nothing ever gets deleted, either by moderator or by the users themselves. Instead use a database flag to toggle visibility in the app. Log the deletion (timestamp, IP, user agent, who took the action, etc) and tuck it away, but never, ever delete the data.
Doing so insulates you from users saying “I didn’t delete it!” You will have proof that they did, including all the particulars such as what browser they were using and when. This also allows you to recover from content that is accidentally deleted by a moderator. If “deleting” content is simply toggling that boolean database field, it’s easy to toggle it back on if it gets toggled off by mistake.
Rule #4: Know what counts as cheating up-front
This sounds like a no-brainer. Cheating is cheating, right? But if someone didn’t actually pay for votes, and did a vote exchange or spammed forums and Facebook groups to get votes from people who don’t actually care about the program, is that cheating?
What if the Facebook account that’s participating is “real”, but the person only ever uses it for entering contests? Is that a legitimate user to you, or a cheater? You should figure that out ahead of time.
It’s going to be your choice as to what level of detail you disclose your policies on cheating. My recommendation is to be a little vague. While this goes against my standard policy of transparency in everything, if you give the bad guys an explicit set of rules on how you define cheating, they will be sure to tailor their cheating to specifically avoid the things you outline. If you tell me (as a bad guy) that my votes will be disqualified if too many votes come in from the same IP address, I will be sure to use different IP addresses for each vote to make sure I avoid your detection.
Rule #4: Audit, audit, audit and audit some more
Auditing by eyeball isn’t really going to cut it, but if it’s all you’ve got, it’s better than nothing. A better idea would be to set up a series of heuristics programmatically that flag user activity as being suspicious and requiring additional review. Things like the number of unique users coming from a specific IP address, the time of day that you see the most activity, the kinds of email addresses you see associated with the participating users, etc.
Look for patterns that don’t make sense. Examine the Facebook pages of the folks you suspect of cheating. Do they have any wall posts? Any photos? Do they have friends? Click on their friends profiles – do their profiles also have no wall posts and no photos? Look for generic “hot babe” profile photos. Look at the pages and topics the user has “liked”. Do they seem a little too demographically on-point, as if they were created to appeal to a specific contest demographic? Is there a pattern in the things they’re liking? (All contest pages, etc.) This part can’t be automated.
Give yourself the time between the end of the contest and the announcement of the winner to be thorough and audit all of your top contenders. Hold off notifying anyone that they won until you’ve had a chance to comb through this data and you feel confident that it’s legitimate.
You have a cheater. Now what?
When you find someone cheating, how are you going to handle it? Revoke their points/votes/etc? Disqualify them? Whatever your decision, know what you’re going to say to them in advance, because if the stakes are high enough, there’s a good chance they will be loud and public about how you wronged them. Once again I advise not showing too much of your hand.
If you decide to confront them and allow them to offer explanations, hold specifics back. If you user claims, for example, that they got most of their votes from their friends at a high school using their own computer (which would explain the same IP address), but the timestamps on the votes are at 1AM, 2AM, etc, that should raise some eyebrows. If you tell them too much about what you’re basing your decision on, a decent cheater will come up with excuses to explain them that they would have mentioned earlier if the story was legitimate.
It’s rare to find a smoking gun in these cases. Instead, it’s going to require a some judgement calls and a preponderance of evidence. It’s very like you won’t find *one* thing that makes you *sure* someone is cheating. Instead you’ll find a half-dozen things that, when combined, form an equation that just doesn’t add up.
One option, upon finding a cheater, is to disqualify just the votes that seem fraudulent. In the case of a contest where the user submits an entry and other people vote on it to determine a winner, be cautious of disqualifying the entry based on fraudulent activity. Knowing how inexpensive it is to buy Facebook profiles, if I were a particularly bad guy who had also submitted an entry, I might consider spending some money to game my opponent’s entry in a way that was obviously fraudulent to get their entry disqualified.
If I knew you would kick anyone out if you detected any fraudulent behavior on their entry, I might go out of my way to make sure you found some on the other guy’s entry to increase my chances of winning by kicking them out of the running. This technique, similar to joe jobbing in the spam world, isn’t one I’ve seen often, but it’s only a matter of time.
Make a decision and be prepared to stick with it. Feel confident that your decision was the right one, and don’t back down. The bad PR from the folks you disqualify will be better than the bad PR from the rest of the contestants claiming that your contest is rigged or allowed fraud. Your legal department will make sure you have a TOS that basically says that you don’t owe anyone an explanation, and it’s up to your discretion to disqualify anyone for any reason.
Running a (good) contest is an incredibly laborious process. The technical aspects of creating the app are honestly the least complicated, least time-consuming part of the whole thing. Make sure you have the appropriate resources to handle it. If you half-ass it, you will regret it.
Not quite. Honestly, there is almost no fool-proof way of detecting all fraud activities – partly because some of this fraud is being conducted by actual people, not machines. They’ve invested the time into creating profiles that look real.
You’ll be able to find the ones that do a crap job of it, but a few of the more sophisticated folks will have profiles that have current wall posts about things other than contest spamming. They’ll have photos uploaded, lots of friends, and profiles that weren’t recently created. Fortunately for you, those kinds of profiles tend to be more expensive to buy, since they require more work to upkeep to look legitimate.
Maintaining believability in a friend network that large requires a lot of time, so examining the friend profiles associated with your top contestants is absolutely critical. If you poke around enough, you’re bound to find something that doesn’t fit. Examining their entire footprint on the social graph will give you a much clearer picture than a specific profile.