Suspected Voting Fraud on HeroX
Recently a colleague of mine who had just closed a HeroX challenge project competition worth a few thousand dollars had a question about possible voting irregularities. While I do run a consulting firm, most of our work has to do with websites and infrastructure. However, due to our work with Alexa Top 500 websites and other high-availability services, we do have some background in spotting problematic traffic behavior.
Could we apply this same expertise to examining voting behavior to a HeroX competition? Let’s find out…
The first sign that something is off about your competition is when another team brings possible irregularities to your attention. Unfortunately, the HeroX platform relies on each individual project sponsor to review all of the votes for each team on their own, regardless of whether a project sponsor has any experience in doing so (the vast majority of people do not). As far as I could determine, the platform provides very little fraud detection or deterrence systems, apparently relying only on phone/SMS verification to verify a vote.
This other team who complained about possible voting fraud came in second place, according to the votes cast at the close of the competition. But given the detailed nature of their email and specific suggestions on how the voting was compromised, it made me do a double-take. How could someone have so much technical knowledge about “public SMS receivers” unless one had reason to research such things? (A public SMS receiver is simply a way to receive a verification code, if a system is using a phone call or text message to do their verification, as HeroX does.) I’ll revisit this person’s complaint later on.
HeroX allows project sponsors to download a spreadsheet of all the votes cast. Luckily, this project had less than 1,000 votes cast in total, so the spreadsheet was entirely manageable for direct pattern analysis.
The first project team fraudster (I’ll call them Purple) used the blunt-force approach — they cast 91 votes from a single IP address. This sort of vote fraud is readily detectable and there can be little explanation for this when combined with a date/time analysis of the voting itself. Votes that come in consistently between 5 and 15 minutes apart from the same IP address? Hello voting bot! :)
There are many online services where you can actually buy votes for competitions like this. But just as readily, you can either write or download a voting bot script for free. These pieces of software can be setup on any computer and customized with integrated SMS receivers, automated email account creation, botnets (networks of compromised computers connected to the Internet), time delays, randomization, and so much more. Purple used a low-cost approach, likely using their own machine to generate most of the votes cast.
There were some other red flags too with Purple’s actual project entry. The accompanying video was viewed less than half the number of votes received. Wouldn’t someone at least look at the video before casting a vote? (Although, I suppose, many friends wouldn’t.) The video itself was nonsensical, stringing together words in a manner (along with computer animation) that made it extremely difficult to follow. Nor did it seem to offer a coherent line of thought. I can’t say for certain that it was AI generated, but it definitely had characteristics suggesting it was.
Last, the person who submitted this entry has actually won (and boasted about winning) two prior HeroX competitions on their blog. In short, they have apparently found a successful strategy for winning project competitions. But I don’t think it had anything to do with getting the most human votes based upon the merits of their entry.
The voting analysis also turned up a smaller effort at blunt-force fraudulent votes, also using either a compromised set of computers (botnet), or simply one or two people creating a whole bunch of email accounts and SMS logins on their own. They were detected by the use of two sets of IPs, one of which was geographically remote from where the project leader was located (literally 3,000 miles away). There is little legitimate explanation for why one third of your votes were cast by a single computer located in a university 3,000 miles away from you.
The third fraudster (I’ll call them Pink) turned out to be none other than the person who brought the fraud to the project sponsor’s attention. This project team used a far more subtle approach to their fraudulent behavior, using a full botnet to ensure there would be little duplication in IP addresses that would clearly signal fraudulent voting.
Pink did not vary their voting pattern enough, however, and a date/time analysis demonstrated a fairly clear pattern of automated voting, especially on the last day of voting.
The project’s entry was more reasonable and seemed more in keeping with the challenge’s specifications. The short video (under 2 minutes) was acted by human actors, had a plot that was easy to follow, but also seemed hastily edited and had very few views (far less than the number of votes they received).
Also problematic was the use of certain red-flag email domains that suggest bot usage. I won’t list the red-flag domains here (since I don’t want to make it easier for these folks to simply stop using them in the future), but there were nearly a dozen of such uncommon domains that are known spam domains (appearing on email domain blacklists). The other giveaway was that some of these same, odd domain names appeared in both Purple and Pink’s voting list.
Finally, if you look at a distribution of expected votes from commonly known email services (such as gmail, yahoo, hotmail, msn, etc.) versus what a “normal” distribution of such domains should be, you can see whether one of these domains is standing out. Voting bot software often relies on existing compromised email accounts, but some can also create new accounts on-the-fly. It’s easier to create or use existing spam email accounts on hotmail and yahoo, so any larger ratio from these two services is an easy red flag to spot.
Voting email accounts listed in both Purple and Pink’s voting lists demonstrated distributions that don’t resemble a normally expected distribution of email accounts found in the wild.
Based upon my admittedly small sample size of N=1, I suspect that online voting fraud is a very real problem with crowdsourced challenge websites. This challenge competition was very small (under $3,000) and was not very technical. It suggests that if a small challenge competition like this could run into such voter fraud problems, the problem is likely fairly widespread and under-reported. Why would this single challenge project be targeted by voting fraudsters? There’s no satisfactory explanation that would suggest this is an anomaly.
More problematic is the fact that three entries I identified in my fraud analysis were the top three vote getters for this challenge.
This challenge had about 50 entries submitted. There were only 13 of the remaining projects that received votes that were not disqualified, and of those, only 5 received more than 1 vote. The highest voted project after the top 3 projects were disqualified received less than a dozen votes.
Without careful analysis of voting patterns, I’m afraid many challenges are being won by unscrupulous players who have found an effective, low-cost manner in which to game the system. The attempts to date to offer some sort of verification of human voters have already been gamed as well (such as phone or SMS verification), and so cannot be relied on as a valid way to detect an actual person who is voting, versus a bot.
Until challenge websites like HeroX expend a significant amount of additional resources and effort on this area of voter fraud, I would not run a challenge competition on them. If you are running a challenge competition on one of them right now, it is absolutely necessary to review the actual votes cast yourself or hire a voting expert or firm to do so.
Fraudulent voting behavior and pattern detection should be an integral and necessary component of the service that such websites offer. Frankly, I’m astounded that it is seemingly not a part of the services that HeroX offers its challenge sponsors.
