Ghost Completions: The Venezuelan Fraud Scheme

The Market Research industry finds itself constantly dealing with issues of fraud – fraud that results in unreliable data (such as in the case of survey farms) and fraud that results with no data at all (such as in the case of ghost completions, which we’ll cover in this white paper). These two central types of fraud result in agencies left with insufficient and unreliable data. 

There are tools that have become staples in the industry and are used throughout to prevent fraud, but, as we’ve previously uncovered, fraud continues to be a larger issue than is currently being recognized. 

The fraud discussed in this white paper is different and might even be considered to be more problematic than survey farms since, in this case, surveys aren’t filled, which allows more fraud to be conducted at a larger scale, and with less effort on the fraudsters’ side. 

Our Detection Methods

Our team spent countless hours analyzing and detecting patterns in rejected completions. Eventually, we were finally able to determine the main perpetrators were a specific group of people located in Venezuela. 

We were able to infiltrate one of their Facebook groups and a Discord channel they were using to share information and conduct the fraud on a daily basis. Careful analysis of the chat logs and other HUMINT methods allowed us to uncover the inner workings of the whole scheme. 

The New Pattern

In order to thoroughly explain how it’s conducted and can be prevented, we need to take a look at a user’s journey through the survey funnel: 

 In this user funnel, there are, seemingly, no security issues, but what we found is not an inherent, and even solvable, a weakness that has repeated itself, at massive scale, throughout a significant portion of the biggest exchanges. 

When looking at a fraudulent funnel, the first half of the funnel is identical, but things change once users gain access to the survey. 

The way this happens is that users are transferred to the survey using a redirect link that leads them to it, which means that when transferring from the exchange to the agency/buyer, users are exposed to a query string (which could either be bluntly displayed in the browser’s address bar or found through the usage of sniffing tools such as Wireshark or Fiddler) that includes the necessary parameters to return a completion link back to the exchange without ever taking the survey. 

Let’s say a generic completion link looks like this: 

complete.php?guid=XXXX

And the survey link that a user just received is: 

survey.php?guid=12345

Fraudsters have learned that they can use the generic completion link with the values from the survey’s link and fake a “success page redirect”.  

In the example above, the falsely generated completion link would look like this: 

complete.php?guid=12345

Fraudsters essentially use the generic completion link with the survey parameters in order to send a false-positive survey completion. This communication occurs between the agency and the exchange, while the supplier is unaware of it and is unable to prevent it. The actual deficiency in survey completions will only be detectable later on when examining the data gathered from the surveys and realizing the quantities of ghost completions. 

This vulnerability enables wide-scale fraud and hurts the market research industry throughout.

Ghost completions hurt both the exchanges, that need to invest resources and man-hours to figure out the discrepancies and explain them to buyers and the suppliers, that are hit the hardest as they rely on easily falsified completions to provide incentives for their users for completing the surveys, sometimes in real-time. Buyers’ confidence in the process as a whole can be reduced significantly as well if they take the time to understand the scope of the discrepancy and what’s behind it.

Solution Implementation

In order to prevent this fraud, we’ve come up with two possible solutions. These changes are rather simple to implement and would immediately have a positive effect on lowering ghost completions’ quantities. 

The first solution is server-to-server redirects, which will replace the current user redirect link to completion. The second option is adding an encrypted hash to the user redirect link, which will add a secret parameter, that prevents fraudsters from predicting and falsifying a completion link. 

“While the technical execution of Ghost Completions isn’t complicated, it’s prevention simple, and the issue is discussed widely, the extent of activity and volume of the Venezuelan group we uncovered alone should unsettle anyone working in the industry. This is our honest attempt at a call to action, and I personally invite anyone in need of the technical knowledge to stop it to reach out to our team” – Ofir Pasternak, CEO, and Founder @ Persona.ly

The Sad Truth

 

 

*This amount is an estimate of the extent of the activity of the group of fraudsters we found, based on the information we were able to find and the amounts of surveys found vulnerable.”

Every year, in each and every conference, there are panels held to discuss how we should all focus on improving our technological capabilities to better serve the buyers and fight fraud more efficiently. These panels usually have the highest attendance.

Yet here we are, in 2020, facing methods of fraud that other industries eliminated years ago. Query string manipulation is nothing new. Other web-based industries started using server to server integrations over anything happening on the client-side back in 2014 – the same year the iPhone 6 was released. An iPhone 6 is a decent phone even in today’s standards – but would you prefer to use it over an iPhone 11? Neither would we.

With these kinds of simple, overlooked vulnerabilities, the exchanges and the supply side of the industry are failing to hold the standard the buyers deserve to answer their needs – collecting reliable, verified human samples, at scale, using modern technology – smartphones, tablets, and personal computers, to get insights for clients as quickly as they want them.

If this isn’t taken seriously, and the required preventative measures are not put in place soon, we would risk driving the buyers to resort to how they did it twenty years ago – sending surveys with dollar bills in physical letters through the postal service.

Closing Thoughts

The goal of publishing this white-paper is to draw the attention required to get the relevant actors in the industry working together to eliminate it and to educate and inform those who are affected by it but cannot act upon it.

We encourage any exchange interested in learning more about the technicalities and how to develop the tools to circumvent it to contact us directly, we will gladly cooperate and share our knowledge.  

 

In our full white paper, we detail the technical elements of each solution, examples and also describe what sort of paradigm shift we believe is required in the way fraud prevention is approached in the MR industry – from heuristic, rule-based techniques to machine-learning, in order to combat it effectively. 

Download the full white paper here.