A votebot is a type of Internet bot that aims to vote automatically in online polls, often in a malicious manner. VoteBots attempts to act like a human, but conduct voting in an automated manner in order to impact the result of the poll. A variety of VoteBot programs, targeted different kinds of services from normal websites to web applications, are sold online by individuals and groups. Like Web crawlers, a votebot can be customized to perform tasks in various environment or target different websites. Simple votebots are easy to code and deploy, yet they are often effective against many polls online, as the developer of the poll software must take this kind of attack into account and do extra work to defend against it.
Contents
Techniques used
The WWW is built on HTTP protocol to transfer information. To imitate legitimate user behavior, such as voting in an online poll, the attacker sends a HTTP request to particular server hosting the poll.
Target analysis
Analyzing the target, or the voting project, should be done before actually building the votebot. When handling a voting website for example, one needs to do some webpage analysis on the target, extracting the request URL of the voting action as well as some HTTP header settings to cheat the website. There are lots of tools which help people to analyze the web, such as Firebug and httpanalyzer. One can trace the voting process of HTTP packages by these tools and find the right voting target and some simple protecting tricks used by websites, such as referrer verification.
Preparation
Before sending requests, the attacker must carefully analyze the target and identify potential attack vectors. During analysis, the attacker must determine if HTTP sessions (maintained via cookies) are necessary to consider or not. For example, an online poll could require a session so that only authorized users can vote.
HTTP request
Crafting an HTTP request defines how an actual user would behave based on parameters defined in the request.
Two HTTP request methods are useful in voting, POST and PUT. Request methods are simply different ways to send data to a certain endpoint (i.e., a poll about "How Many Users Like The Votebots Article?"). The below is a simple Python example using httplib2 to send messages (cited from httplib2 wiki):
>>> from httplib2 import Http >>> from urllib import urlencode >>> h = Http() >>> data = dict(name="Joe", comment="A test comment") >>> resp, content = h.request("http://bitworking.org/news/223/Meet-Ares", "POST", urlencode(data)) >>> resp {'status': '200', 'transfer-encoding': 'chunked', 'vary': 'Accept-Encoding,User-Agent', 'server': 'Apache', 'connection': 'close', 'date': 'Tue, 31 Jul 2007 15:29:52 GMT', 'content-type': 'text/html'}Human action simulation
In many voting projects, developers try to distinguish the bots from legal users. They may use the strategy talked about below, and the votebots try to bypass their barriers or detecting methods to successfully vote at the website. For example, some websites restrict the number of votes one IP address can make in a time period. Votebots can bypass this rule by proxy its IP address frequently to cheat the website. Another frequently used strategy is to analyze the account created by a votebot to tell any difference from the normal accounts created by human beings, or to analyze the action history of accounts in the system to find out potential votebots creating ones. Votebots, on the other hand, try to simulate human action such as logging in and out as well as sharing some articles in some social network service before voting.
Usual Target
YouTube is reported to be a big victim of votebot. Many small, temporary set up voting projects are also usual target of votebots. Many people try to program or buy malicious scripts to vote for themselves in some processes, and it is hard to count the number of attacks that happen everyday.
Anti-VoteBot
As talked above, web developers want to distinguish votebot from legal voting users in voting projects. Normal ways includes IP checking, account-handling, Turing test (e.g. CAPTCHA) and account action analysis. Some special service have their special ways to tell programs from human who intend to vote. Someone has proposed a strategy for YouTube, only allow voting after the whole video is downloaded to the local machine, which may indicate it is played at least once and no votebot wants to waste time downloading and watching it.