Market Research Fraud – Distributed Survey Farms Exposed

Most of our partners know us for our mobile marketing services – from our data-driven user acquisition to our playable and interactive ad creation. However, market research is how our company actually got started back in 2011, and we’ve been providing survey samples to the biggest MR companies all these years. So when it comes to surveys and GPT (“Get Paid To”, i.e reward program websites) we’ve created multiple products to gather samples and have been developing proprietary technology to ensure data quality for the past 8 years.

We monitor over 35 real-time and post-completion data points to ensure data quality and we’re constantly improving the ways we track our data, because, as everyone in this industry knows, there will always be new methods of fraud – be it human (like click farms) or human-made (like bots and VPN’s).

With the use of these protective measures, we were able to detect suspicious activity that we didn’t recognize initially. This led us to investigate and eventually detect a new fraud method, ban its proprietors, and add measures to block any future occurrences of it. Since it’s a wider phenomenon and not an isolated case, we think it’s important to share it.

Discovering Undetectable Fraud

Last November, our system alerted us about an anomaly in our completion rates for surveys from Australia. We saw that the survey completion rate grew by 200% in the span of a couple of days and that all of this traffic stemmed from a single source.

The numbers were still relatively low (a substantial increase but from a low number of users) but we had to check such a drastic change in the numbers.

When we looked at the data, it seemed legitimate – the users’ devices had different IP’s, they didn’t seem to use a proxy, they had different user agents and the time it took to complete a survey differed (meaning, the users’ behavior didn’t seem as scripted like bots usually do). Other than the sudden completion rate increase, the traffic itself seemed valid.

Finding The Source

Our second step, after our data analysis was deemed inconclusive, was to register to this source’s website ourselves. Now, before we’ll get into the whole process, we want to quickly note that we’re showing the publisher’s name knowing full well that once this article is published, this source will re-name his ‘company’ and that the website he used as a front will most likely disappear.

SandyBucks is a seemingly ordinary reward program website, but once we tried signing up we immediately received an error message. This was no coincidence, we tested it and quickly concluded that there’s no “Sandybucks” beyond this signup page – it’s just a front. At this point, we knew that this traffic, although it looked legitimate, was fraudulent.

Our next move was to track where SandyBuck’s traffic really came from. We started by checking Sandybucks’s domain at websites such as Similarweb and Alexa. Similarweb didn’t find any evidence that the website even existed, while Alexa was able to get us our first lead from the “What sites link to” section, which is where we found mxpartime.

We then ran mxpartime domain through whois to try and get additional details to no avail, but once we started translating mxpartime we had all the information we needed.

School of Fraud

After a thorough investigation (detailed below the flow chart), we found that the creator of “SandyBucks”, who operates “mxpartime”, charges individuals for teaching them how to set up their own “click farms” for surveys. If you enter “mxpartime” all you’ll see is Chinese, and trying Google translate on the page, in this case, won’t help clear too much up. We used the assistance of our Chinese office, who on top of translating, explained why the process was a bit more complicated to understand and required a long discussion rather than just translation.

Let’s start with what is this website – “mxpartime” is a website where the creator of “Sandybucks” teaches GPT fraud. The participants (i.e users) pay according to the type of “class” they want to take, where they learn everything they need to know to successfully complete a survey and get rewarded.

Obviously, there’s nothing wrong with completing a survey successfully, the problem is that at “mxpartime” the users are taught how to systematically complete the same (usually high-paying) survey multiple times and get immediately rewarded.

Notice how he explains, at the end of the post, that you don’t need to take surveys every day, and you can just open multiple accounts and make all the money you need in 1 day.

Another example of fraud is in this example, where “Sandybucks’” owner offers assistance in cashing out from a French Paypal account:

Essentially the fraud is similar to what’s known in the mobile industry as “click farms”. “Sandybucks’” owner offers surveys fraud training and the graduates end up with their own survey farm – opening multiple accounts of a single survey and passing it by repeating answers that they know will get them through the survey. It can be in different languages, in any geo, and for any age – he teaches the “full package” of everything needed to cheat in order to pass the survey.

Realizing The Scale

We know that the danger of exposing fraud and explaining how to prevent it is to “teach the enemy” how to overcome it, but the more we investigated, the bigger the scale of the fraud that we found.

This was our most shocking discovery – the realization that he’s working with survey providers within the industry, that there are companies that legitimize his actions.

As we continued our research, we tried to uncover his identity but only managed to find his first name: Ming Xuan.

This QQ chat between him and a client was posted on his website, showing how he’s constantly getting paid, to prove that he can be trusted. The office’s picture enables us to glimpse into his survey farm.

Tracking & Preventing The Fraud

At this point in the process, “Sandybucks” was long banned from our system, but we wanted to put an end to these survey farms and make sure this seemingly legitimate data couldn’t come back from other sources as well.

In order to prevent this fraud from repeating, we analyzed these users’ behavioral data and added additional fraud detecting tools.

We have different panels and they all require different types of verification. Once we’ve learned of this fraud, we understood that all of our panels must require more robust mobile verification, which we’ve applied since.

We’ve noticed that these users don’t use a detectable VPN, and upon further investigation found that they change Geos by using botnets (networks of malware-infected devices that are controlled by 3rd parties). Our way of detecting and preventing it was by using our existing database of reliable IP’s, which updates on a daily basis and combine it with a 3rd party validation tool to track and maintain the IP’s reputation.

Eventually, we added these and other new tools to our existing technologies (such as device fingerprinting & reputation, Recaptcha, Red Herring questions, and LOI comparisons) and “fed” the data to our algorithms, so they can learn to automatically detect and block similar fraudulent sources.

Other than money being spent in the wrong places, the biggest impact this fraud has on the industry is in the quality of the samples. Once the users are following a script for their answers, the samples are meaningless, inconsequential, do not represent real consumers, and can lead the advertisers to make misguided decisions, defying the entire purpose of conducting market research in the first place.

We move forward knowing that the fight against fraud continues and we’re willing to go to great lengths to continually ensure data quality. We’re sure our counterparts will join us in our efforts to do so and hope that by sharing this we can help the industry further understand and prevent this fraud method and others that might follow it.

We’ll be attending SampleCon 2019 next month, where we’d be happy to discuss things further and share additional details. Click here to set up a meeting.