Robots continued to win T-Mobile promotional contests

Earlier this summer, players in a T-Mobile Tuesday giveaway contest took to Reddit to discuss a bizarre discovery: The company has, on some weeks, donated tens, sometimes hundreds of thousands of dollars in cards. -gifts, prizes and money to the winners. In one of the contests, nearly a third of the publicly traded winners were from a town in Pennsylvania of less than 4,000 people.

Players wondered: What was in the water in Chadds Ford, PA?

Theories began to flourish in the threads as others posted publicly on social media asking for answers from T-Mobile. Some have speculated that this could be the result of accidental coding. Perhaps the entries that lacked postal codes appeared to be from the city. Others suspected that someone had discovered where, geographically speaking, someone could enter the contest to have a slight time advantage and define their server location as such. Some have drawn similarities to “McMillions,” an HBO series and podcast following a 2018 Daily Beast story titled “How an Ex-Cop Rigged McDonald’s Monopoly Game and Stole Millions”.

The promotional app and contest, a ploy to foster goodwill with customers of an operator known for these benefits, offers occasional giveaways such as tablets, Chromebooks, tickets to a “James Bond Fan Event”, a trip for two to the awards ceremony in Spanish Premio lo Nuestro and more. Every week on Tuesday, the app also has deals and offers.

Most of the time, gift cards are up for grabs. This was the case in May, when the company’s prizes included ten $ 500 gift cards, nearly 100 $ 100 gift cards, and 40,000 $ 5 gift cards. While the company does not include the names of the winners of those tens of thousands of $ 5 gift card winners, 15 of the $ 100 gift card winners were believed to be from Chadds Ford. Another Chadds Ford resident won a $ 500 gift card. Likewise, in March, three $ 500 winners and five $ 200 gift card winners were supposed to be from the city.

T-Mobile, which previously had not disclosed an explanation for this, told CNBC that the high number of Chadds Ford winners was linked to bots submitting multiple entries. Financially, this particular situation seems to affect a relatively small amount. But it is reminiscent of the prevalence and ease with which bots can be used, whether to operate a contest like T-Mobile’s or to conduct a larger-scale business like refereeing bot traffic.

“Everyone always overlooks harmless crimes, where it could be a dime or two here. But added after a million… a million cents is a lot of money, ”said Jonathan Tomek, threat intelligence manager at WhiteOps, a company that works. in bot detection and cybersecurity.

According to T-Mobile, the company has implemented additional security measures and continues to monitor the issue.

T-Mobile declined to make anyone available for an interview on how the company resolved the issue or to provide details of who was behind the bots, but experts in the bot fraud field explained to how easy it is for the amateur hacker to deploy bots. for a purpose like this.

Since companies are required by law to make certain contests available to everyone for free, beyond simple customers, people can enter these contests through an “Alternate Method of Entry” website. In the case of T-Mobile Tuesdays, consumers can participate in sweepstakes on any of these websites in addition to the official T-Mobile Mardis app. The bots won digital gift cards through an automated system that gave them the ability to get their prize instantly by giving the winners a code to redeem.

Tomek said the automated prize could make it easier for someone trying to evade detection because winners are unlikely to be examined by humans. WhiteOps said he was speaking more broadly to the issue of bot activity, not specifically this particular campaign.

Applicants who attempt to rip off the system can trick bots into automatically filling in fields on a website, such as address and phone number, and submitting entries hundreds or thousands of times. What may have happened is that a more amateur hacker used their own address instead of randomizing addresses, as a more sophisticated con artist could have randomized their location to fly under the radar.

It’s fairly straightforward to deploy bots if you know what the dedicated input fields are, Tomek explained, and the odds only increase when inputs proliferate.

Independent fraud researcher and consultant Augustine Fou said activity like this is often not made obvious unless the person deploying it makes some sort of mistake. “Most fraud is just not visible,” he said. “You only see it when the bad guys get it wrong.”

The tools that help to carry out this type of activity are widely available.

Method Media Intelligence, a web analytics company that helps advertisers separate bots from humans in ad campaigns and site traffic, said people can pay to go through Captchas – those systems that prompt people to select images or enter special characters to determine if the user is Human. Someone can pay a few dollars to complete thousands of Captchas.

“We need to realize that whenever there is an impact of robot activity, like this contest, like Ticketmaster or scraping, like massive amounts of ad fraud, it’s not cybercriminals lurking in the black, “CEO and co-founder of Method Media Intelligence Says Shailin Dhar. On the contrary, it can often be people using development tools offered by big tech companies on their own computers, he said.

The tools were designed to help developers test on the web, but can be hijacked to conduct less benign activities at the expense of businesses, company executives said.

Method Media claims programmatically-controlled browsers can mimic online activity, such as opening web pages, consuming media, writing social media posts, clicking on ads, installing apps, or filling out forms. The company, which has been studying bot activity for an upcoming report, says many corporate homepages attempt to block bots from accessing their sites, but considers only six of a group than 130 people managed to do so.

While the question has been a source of frustration for dedicated T-Mobile Tuesday gamers, it may not be T-Mobile’s biggest concern since it is money the company has all the time. given way.

Craig Carpenter, an attorney for Thompson & Knight, based in Dallas, Texas, said that if the “McMillions” scam was a “full-fledged calculated fraud,” it was a different plan. He said that while there is a corner of the internet of people called “prize hunters” who hunt for and participate in these sweepstakes, some are trying to find ways to do it with robots and other technology. automated.

“It happens, and it’s a thorn in the side of business,” he said. “As a general rule, there is really nothing illegal about using robots or technology to enter raffles,” he said. But the official rules for such giveaways often state that using automated means to participate will result in a prize being void, he said.

T-Mobile Tuesday rules, for example, prohibit “mechanically reproduced, illegible, incomplete, falsified, software-generated, third-party, or other automated or robotic participation.

“I think the way to look at it is that the business is really the victim, unless you can show that they noticed widespread fraud and didn’t do anything about it even though they did. could, ”Carpenter said. “It is more likely that they will not have a legal obligation to do all kinds of due diligence and locate him.”

Businesses generally have to weigh the benefits of marketing with all the problems.

“They just have to decide, from a PR component, should we try to do something to make our customers happy, or is it okay?” he said.