Bots won T-Mobile’s promotion contests

Earlier this summer, players took part in a T-Mobile Tuesday giveaway contest to Reddit to discuss an early discovery: The company donated tens, sometimes hundreds, of thousands of dollars in gifts, prizes and cash to winners in certain weeks. In one of the contests, nearly a third of the publicly announced winners came from a city in Pennsylvania with a population of less than 4,000.

Players asked themselves: What was sitting in the water at Chadds Ford, Pennsylvania?

The theories began to flourish in threads as others publicly posted on social media asking T-Mobile for answers. Some suspected that it could be the result of accidental coding. Maybe it turned out that entries that were missing zip codes were out of town. Others suspected that someone had figured out where, geographically speaking, anyone could join the contest to take advantage of a small time and set up their server location as such. Some drew similarities to “McMillions,” an HBO series and podcast following a 2018 Daily Beast story titled “How an Ex-Cop Rigged McDonald’s Monopoly Game and Stole Millions.”

The promo app and prize draw, an attempt to promote goodwill with customers of a carrier known for such perks, occasionally offer gifts such as tablets, Chromebooks, tickets to a “James Bond Fan Event”, a trip for two to Spanish language prizes that The Premio shows now Nuestro and more. Every week on Tuesday, the app also offers deals and deals.

A lot of the time is what gifts are. That was the case in May, when the company’s prizes included ten $ 500 gift cards, nearly $ 100 $ 100 gifts and $ 40,000 $ 5 gifts. While the company does not list the names of those who won those tens of thousands of $ 5 gift card winners, 15 of the $ 100 gift card winners were presumably from Chadds Ford. Another Chadds Ford resident won a $ 500 gift card. Similarly, in March there were three winners of $ 500 and five winners of $ 200 gifts from the city.

T-Mobile, which had not previously released a statement for the case, told CNBC that the high number of Chadds Ford winners was related to bots submitting multiple submissions. Financially speaking, this particular situation is affected by a relatively small amount. But it serves as a reminder of the prevalence and ease with which bots can be used, whether it be to exploit a game like T-Mobile’s or to conduct larger-scale activities, such as bot traffic arbitration.

“Everyone always remembers the harmless crimes, where it could be a penny or two here. But to add a million … a million pennies is a lot of money,” said Jonathan Tomek, head of threat information at WhiteOps, a company that works in bone detection and cybersecurity.

According to T-Mobile, the company has introduced additional security measures and continues to monitor the issue.

T-Mobile refused to make anyone available for an interview on how the company tackles the issue or provides specifications on who was behind the bots, but experts in the field of bot fraud explained how simple it is for even the amateur hacker to get around bots to deploy for a purpose like this.

Since companies legally have to make some competitions available to everyone for free, then just customers, people can enter those contests through a website called “Alternative Method of Entry”. In the case of T-Mobile Tuesday, consumers can submit for sweepstakes on one of those websites in addition to the official T-Mobile Tuesday app. The bots won digital gifts through an automated system that offered the ability to get their prize instantly by giving winners a code to redeem.

Tomek said automated pricing can make it easier for someone trying to evade detection because it is unlikely to be hacked by humans. WhiteOps said it speaks more broadly about the issue of bot activity, not specifically about this particular campaign.

Participants attempting to scam the system can get bots to automatically fill in fields on a website, such as the address and phone number, and submit submissions hundreds or thousands of times. What might have happened is that one more amateur hacker used her own address instead of randomizing addresses, because a more sober scammer could have randomized her location to fly under the radar.

It’s pretty simple to bet if you know what the dedicated entry fields are, Tomek explains, and odds only go up as the entries proliferate.

Independent fraud investigator and adviser Augustine Fou said activities like these are often not taken for granted unless the person committing them makes some mistake. “Most fraud is just not seen,” he said. “It’s only seen as bad guys screwing up.”

Tools that help in performing this type of activity are widely available.

Method Media Intelligence, a web analytics company that helps advertisers separate bots from people in ad campaigns and site traffic, said people can pay to get through Captchas – those systems that require people to select photos or enter special characters to determine if the user is human. Someone can pay a few dollars to complete thousands of Captchas.

“We need to realize that whenever there is some kind of impact from bot activity, like these sweepstakes, like Ticketmaster or scraping, like massive advertising agencies, it’s not cybercriminals hiding in the dark,” CEO and co-founder of Media Media Intelligence Shailin Dhar sei. After all, it could often be people who use developers offered by large technology companies on their own computer, he said.

The tool was created to help developers test on the web, but could be hijacked to conduct less benign activity at the expense of businesses, company leaders said.

Method Media states that programmatic browsers can mimic online activity, such as opening web pages, consuming media, writing social media messages, clicking ads, installing apps, or filling out forms. The company, which studied bot activity for an upcoming report, says many corporate homepages attempt to block bots from accessing their sites, but only consider six out of a group of 130 to be ‘successful’ at doing so.

While the case has been a source of frustration for dedicated T-Mobile Tuesday players, it may not be the biggest concern for T-Mobile, as it is the money the company gave in any case.

Craig Carpenter, a lawyer at Dallas, on Tex.-based Thompson & Knight, said that while the “McMillions” fraud was a “fully exposed, calculated fraud,” this is on a slightly different plan. He said while there is a corner of the internet of people named “prize hunters” who hunt down and enter these sweepstakes, try some ways to do this with bots and other automated technology.

“That happens, and it’s a thorn in the side of companies,” he said. “Typically, there is really nothing illegal about using bots or technologies to enter sweepstakes,” he said. But the official rules for these gifts often say that using automated means to enter will result in the invalidity of a prize, he said.

For example, T-Mobile’s rules Tuesday prohibit “mechanically reproduced, unreadable, incomplete, forged, software-generated, third-party or other automated or robotic participation.”

“I think the way to look at this the company is really the victim, unless you could show that they noticed some widespread fraud and did nothing about it, even though they could,” Carpenter said. “They will probably have no legal obligation to do all kinds of diligence and track this down.”

Businesses typically have to weigh the benefits of marketing with all the problems.

“They just have to decide, from a PR component, should we try to do something about this to keep our customers happy, or is this not a big deal?” he said.