How polls are hacked: What every business should know

The news in January about Michael Cohen’s indictments covers some interesting ground for IT managers and gives security teams something else to worry about: He allegedly paid a big data firm Redfinch Solutions to rig two online polls in then-candidate Donald Trump’s favor. To those of us who have worked with online polls and surveys, this comes as no surprise.

While the Cohen story is big news, it is by no means unique. Surveys have a darker side, as this January report from researchers at RiskIQ documented. They found another survey-based scam that is more insidious and involves a complex series of steps that use cloned YouTube identities to eventually get marks to take surveys to redeem for “free” iPhones. Instead, the respondents got malware installed on their computers or phones.  

Both the Cohen and RiskIQ stories raise questions about the risks and security of surveys. Security managers need to up their game and understand both the financial and reputational risks of rigged polls and the exploits that are delivered through them. Then they can improve their protective tools to keep hackers away from their networks and users.

To better understand the dangers and issues with online surveys and polls, I’ll review why businesses use them, the risks that outside rigging present, and how to keep your networks safer from rogue polls that offer too-good-to-be-true rewards.

Poll purposes and risks

Typically, businesses use polls to gather actionable information, to support a particular course of action, to evaluate customer satisfaction, or to quantify some service or product delivery. For any of these purposes, rigged results can have serious financial and reputational consequences if the business fails to recognize and counter the effort.

For example, one risk might be that a business could make a bad decision based on poor or misleading poll results. Or it could conclude from bad research something that could negatively affect its credibility among its customers or suppliers. Then there are polls that offer rewards in the form of cash or cash-equivalents: If someone has hacked the poll, a company could be paying out these rewards that aren’t genuinely earned, which could further risk their reputation if word gets out.

Finally, we should consider any legal implications. Lawsuits could happen as the result of poorly planned or executed poll, which could further damage public relations and corporate reputations.

How to rig a poll

Why would anyone want to rig a poll? Certainly human nature has something to do with it. Some people look at poll rigging as an intellectual challenge, or have a grudge that they bring to a particular company or situation. Or they enjoy pranking the company doing the poll to make some political or other statement. Joey Skaggs, a professional media prankster, often cites made-up poll results in his press releases to support his outlandish schemes, such as a dog bordello or a scientist who uses cockroaches as the source for (human) eternal life.

Rigging can go a lot deeper, though. For example, there is financial motivation, especially for ill-gotten gains or to undermine a direct competitor as a simple form of corporate sabotage. The motivation for this could be a disgruntled former employee or a dissatisfied customer that is seeking some form of revenge. It could also be the result of corporate hacktivism in reaction to a particular political or social stand taken by your company.

In addition, there is what is called a cascade issue, according to this post in The Conversation. “By planting a few initial votes that make it look as if voters favor a particular outcome, manipulators could offset a dynamic that eventually shifts the poll result in the desired direction.”

If a company doesn’t operate their polls securely, bad actors have several methods available to corrupt them. Of course you can find online information sources (such as this one on Quora) on how to rig any poll. These include using bulk email addresses that are custom-created for the pool and are under the control of a single person.

You can also deploy proxy servers to hide your real IP address, in case the survey taker is looking for duplicate poll responses. Respondents can then click on the back browser button, choose another proxy and resubmit their forms. Criminals can hire human armies to respond en-masse. Most likely some of these methods were used in the Cohen circumstances. 

Bring on the poll-rigging bots

Poll rigging has recently gotten more sophisticated with the rise of the malicious bots to answer survey questions. Bots are attractive because they are easy to construct and quick to deploy to influence the poll results. As an extreme example, the vast majority of comments received by the FCC on their Net Neutrality proposals in 2017 were from bots or other fake origins.

One example of the ease of using bots is this video that shows how a simple online poll can be manipulated. “There has been an exponential growth in bot sophistication,” says Reid Tatoris, the VP of product outreach and marketing for Distil Networks. “Ticketing sites are seeing a rise in spinning, where an actor would hold a ticket in their shopping cart and try to sell it before the shopping period times out. This means someone could mark up your ticket inventory with little risk and can interfere with your eCommerce site’s pricing system.”

Hacking polls with bots is also useful for corporate espionage, says Tatoris. “We’ve seen data scraping from competitors, who are deliberately going after proprietary information. We have also seen increases in targeting specific brands, and a determination where if the bot doesn’t initially succeed, the hacker will try repeatedly until they can breach your network.”

Vetting your poll responses

Part of keeping a poll secure is being able to vet the results and eliminate what UX expert Danielle Cooley calls “speeders and cheaters.” These are people or bots who aren’t responding in good faith, usually filling out the survey to qualify for the completion incentives or attempting deliberate sabotage.

In the past it was relatively easy to screen these phony responses out: You can tell by the time it takes someone to complete a survey whether they are actually reading and thinking about the questions or just clicking on things to get their completion reward.

A good survey analyst will examine the results and see if they are answered consistently. If not, then you might also need to eliminate ringers, such as the infamous Justin Bieber poll years ago that asked where he should next perform. A concerted online campaign swamped the poll with North Korea being the winning location.

“The internet makes it really easy for people to pile on, and having an open survey that anyone can answer may get you a lot of data, but it’s open to all sorts of bias so it rarely is a good idea,” says forms and surveys specialist Caroline Jarrett.   

4 steps to secure polls and surveys

Security teams have several ways to insert themselves in the polling process to ensure the integrity of the results:

1. Examine your perimeter and web application defenses to see if they can detect and repel bot traffic

Bots are becoming more popular. Hackers are constantly getting better at using them, and indeed many web application firewalls (WAFs) have been slow to include anti-bot technologies. Both Distil Networks and Imperva have tools that can screen out bot-generated traffic.

Part of the problem is that the “normal” complement of security tools, including a WAF and data loss protection tool, aren’t very effective at finding and stopping the sneakier bots. “This is because the old methods of screening by IP address or geolocation no longer work, as hackers make use of U.S.-based data centers to hide their intents and origins,” said Tatoris.

2. Get involved in the poll provider selection process

Work with your marketing department to make sure that they and you can use the online survey provider’s own tools to track bad or questionable responses. Train your marketing department on how to use their survey instruments and dashboards to filter out the speeders and cheaters based on response rate, time on the site with each question, the time period when responses are received and other metrics that the providers should have readily available.

Recommend steering clear of using online social media sites to conduct your polls. Although they are free and simple to set up, these types of polls are easily manipulated by bad actors.

Examine the enterprise versions of online poll service providers and steer your marketing department towards spending more for them. Cooley prefers SurveyGizmo’s enterprise service, which has numerous options that are more appropriate and granular than their consumer-based service and can track these important values.

3. Check your internet traffic for poll participation by online dark web criminal marketplaces

Trend Micro examined several of these in this post back in 2017, and found numerous sites, such as Weibosu and Weixinvips in China, that would sell you fake online results wholesale. They “found that fake news campaigns aren’t always the handiwork of autonomous bots, but can also be carried out by real people via large, crowdsourcing programs.” Some of the case studies featured in their post are chilling examples of how concerted efforts can damage reputations and heap huge financial penalties on unwary victims.

4. Don’t blame the tool for bad surveys 

Finally, one thing that doesn’t work is what Jarrett calls tool-shaming. Just because there are numerous web-based survey instruments doesn’t mean they are all inherently bad. “It isn’t the tool; it is how people use or misuse it,” Jarrett says. “We don’t blame PowerPoint for all the bad presentations that people create with it. The same is true with various online survey creation tools.”