- People from a tiny town in Pennsylvania appeared to keep winning T-Mobile Tuesdays giveaways.
- The company says this was due to an issue with bots.
- Cyber security and bot fraud experts explained how prevalent this is and how simply it can be done.
Earlier this summer, players of a T-Mobile Tuesdays giveaway contest took to Reddit to discuss a strange discovery: The company in certain weeks gave away tens, sometimes hundreds, of thousands of dollars in gift cards, prizes and cash to winners. In one of the contests, nearly a third of the publicly listed winners came from a Pennsylvania town with a population of less than 4,000.
Players wondered: What was in the water in Chadds Ford, Pennsylvania?
The theories began to blossom in threads as others posted publicly on social media asking T-Mobile for answers. Some surmised it could be the result of accidental coding. Maybe entries that were missing zip codes appeared to be from the town. Others suspected someone had figured out where, geographically speaking, someone could enter the contest to have a slight time advantage and set their server location as such. Some drew similarities to "McMillions," an HBO series and podcast following a 2018 Daily Beast story titled "How an Ex-Cop Rigged McDonald's Monopoly Game and Stole Millions."
The promotional app and contest, a ploy to foster goodwill with customers from a carrier known for such perks, offer occasional giveaways like tablets, Chromebooks, tickets to a "James Bond Fan Event," a trip for two to Spanish-language awards show Premio lo Nuestro and more. Each week on Tuesdays, the app also provides offers and deals.
Much of the time, what's up for grabs is gift cards. Such was the case in May, when the company's prizes included ten $500 gift cards, nearly 100 $100 gift cards and 40,000 $5 gift cards. Though the company doesn't include the names of who won those tens of thousands of $5 gift card winners, 15 of the $100 gift card winners were supposedly from Chadds Ford. Another Chadds Ford resident won a $500 gift card. Similarly in March, three winners of $500 and five winners of $200 gift cards were supposedly from the town.
T-Mobile, which had previously not disclosed an explanation for the matter, told CNBC the high number of Chadds Ford winners was related to bots submitting multiple entries. Financially speaking, this particular situation appeared to affect a relatively small amount. But it serves as a reminder of the prevalence and ease with which bots can be used, whether it's to exploit a contest like T-Mobile's or to conduct larger scale activity, like bot traffic arbitrage.
"Everybody always overlooks the harmless crimes, where it might be a penny or two here. But added up after a million… a million pennies is a lot of money," said Jonathan Tomek, head of threat intelligence at WhiteOps, a firm that works in bot detection and cybersecurity.
According to T-Mobile, the company has put in additional safety measures and continues to monitor the issue.
T-Mobile declined to make anyone available for an interview on how the company addressed the issue or provide any specifics on who was behind the bots, but experts in the area of bot fraud explained how simple it is for even the amateur hacker to deploy bots for a purpose like this.
Since companies must legally make some contests available to anyone for free, beyond just customers, people can enter those contests via an "Alternate Method of Entry" website. In the case of T-Mobile Tuesdays, consumers can enter for sweepstakes on one of those websites in addition to the official T-Mobile Tuesdays app. The bots won digital gift cards through an automated system that offered the ability to get their prize instantly by giving winners a code to redeem.
Tomek said automated prizing can make it simpler for someone trying to evade detection, since winners likely aren't being reviewed by humans. WhiteOps said it was speaking more broadly to the issue of bot activity, not specifically to this particular campaign.
Contestants that try to scam the system can get bots to automatically fill in fields on a website, like the address and phone number, and submit entries hundreds or thousands of times. What may have happened is that a more amateur hacker used their own address instead of randomizing addresses, since a more sophisticated scammer would have been able to randomize their location to fly under the radar.
It's fairly simple to deploy bots if you know what the dedicated entry fields are, Tomek explained, and odds only go up as the entries proliferate.
Independent fraud researcher and consultant Augustine Fou said activity like this often isn't made obvious unless the person deploying them makes some kind of mistake. "Most fraud is just not seen," he said. "It's only seen when bad guys screw up."
Tools that help conduct this kind of activity are widely available.
Method Media Intelligence, a web analytics company that helps advertisers separate bots from humans in ad campaigns and site traffic, said people can pay to get through Captchas — those systems that prompt people to select pictures or enter in special characters to determine whether the user is human. Someone can pay a few dollars to complete thousands of Captchas.
"We need to realize that whenever there's some sort of impact from bot activity, like this sweepstakes, like Ticketmaster or scraping, like massive amounts of ad fraud, it's not cyber criminals hiding in the dark," Method Media Intelligence CEO and co-founder Shailin Dhar said. Rather, it can often be people using developer tools offered by large technology companies on their own computer, he said.
The tools were made to help developers test on the web, but can be hijacked to conduct less benign activity at the expense of businesses, the firm's leaders said.
Method Media says programmatically controlled browsers can imitate online activity, like opening web pages, consuming media, writing social media posts, clicking ads, installing apps or filling out forms. The company, which studied bot activity for an upcoming report, says many corporate homepages try to block bots from accessing their sites, but considered only six of a group of 130 as "successful" in doing so.
Though the matter has been a source of frustration for dedicated T-Mobile Tuesday players, it may not the biggest concern for T-Mobile since it's money the company was giving away anyway.
Craig Carpenter, an attorney at Dallas, Tex.-based Thompson & Knight, said while the "McMillions" scam was a "full-blown, calculated fraud," this is on bit of a different plane. He said while there's a corner of the internet of people called "prize hunters" who hunt for these sweepstakes and enter them, some try to find ways to do this with bots and other automated technology.
"That does happen, and it's a thorn in the side of companies," he said. "Typically, there's not really anything illegal about using bots or technologies to enter sweepstakes," he said. But the official rules for these giveaways often say that using automated means to enter will result in the invalidation of a prize, he said.
T-Mobile Tuesdays' rules, for example, prohibit "mechanically reproduced, illegible, incomplete, forged, software-generated, third party or other automated or robotic participation."
"I think the way to look at this is the company is really the victim, unless you could show they had noticed some widespread fraud and didn't do anything about it even though they could," Carpenter said. "They're more likely not going to have a legal obligation to do all kinds of diligence and track this down."
Companies typically have to weigh the benefits of the marketing with any issues.
"They just have to decide, from a PR component, do we need to try to do something about this to keep our customers happy, or this this no big deal?" he said.