A Firsthand Look at Spin Fraud

I fell for an Instagram trend that came and went so fast, if you weren’t doom-scrolling for an hour on Christmas Eve, you would’ve missed it. It was an AI robot that scanned your Spotify account and then judged the h*ll out of your taste levels. It’s called How Bad is Your Spotify?.

Ready to be thoroughly roasted for listening to an inordinate amount of early 2000s emo and Lady Gaga, I connected it to my account and watched as the most confusing results came through live. While it clocked my Chromatica love, something else came to light: my unwavering “passion” for the Dirty Dancing (Original Motion Picture) soundtrack. Not that I listened to it once, but that I listened to it an uncomfortable amount.

Figure 1: A screenshot of my results on 1/19/21, showing Dirty Dancing as one of my “obsessions.”

I don’t think I had ever even searched for the album until I saw these results. No hate for the album, there’s just no reason for me to ever listen to it outside of a wedding. 

At HUMAN, I get the pleasure of working with some of the internet’s best and brightest for all the blogs you see on our website. So, I approached the Satori Threat Intelligence & Research team with a question: is someone else listening in on my Spotify account? That’s when I learned about spin fraud.

This Song is a Bot

Fraud will happen when criminals figure out how to incentivize a system for their own benefit. In the case of spin fraud, criminals have figured out a way to make money from streaming media platforms and systems. Where there’s money to be made, you can bet bots will find a way to finagle their way in to make a piece of the pie. 

Spin fraud is when sophisticated bots either create accounts or hack into real accounts to listen to songs over and over again in an effort to make them popular. They can make money off of this in a variety of different ways - the Satori team is aware of websites where it’s one-click fraud enablement, much like ordering a movie online.

So who is actually paying for these services? While we don’t want to speculate on who uses these services or why they’re employing bots to do this, what we do know for a fact is that bots can take advantage of music lovers for monetary benefit. Spin fraud can make “real” hit songs. When songs are listened to or “liked” at scale, say from a device farm where there are millions of listens happening in no time, we get fake popularity. The perception of a hit song is created, and consumers are none the wiser. It could have an impact on the artists and the businesses supporting the artists; the attention, positive or negative, drives revenue. In a time when a lot of artists are struggling without being able to tour, having an uneven playing field on streaming platforms because of bots can hurt them further.

Don’t Go Breaking My Password

The most common cause of spin fraud is credential reuse. When thinking about what people use as credentials, we typically think of usernames and passwords. People frequently use their email addresses as their usernames, and if done correctly, the passwords are stored in a safe way. Attackers, right off the bat, know one of the two values needed to authenticate successfully, and frequently it isn’t difficult to determine the password. Users often reuse their same credentials across platforms. So when the credentials are stolen from another platform, they will be tested against others. Data sold on the dark web after a data breach makes this simple for a fraudster, unfortunately.

This, for the record, is probably what happened to me and my account - I wasn’t just getting roasted on my love for My Chemical Romance, I was also getting roasted for my password hygiene.

A simple mitigating action a user could take is to do what’s called “salting your password”; i.e., if your password is abc123, for Spotify it would be abc123spotify. Now passwords are unique across platforms. Another way to set unique and memorable passwords is to combine four seemingly random words together. These words should have some type of significance to you, so they’re easy to remember together. 

Cybercriminals are targeting every one of the streaming providers. The challenge for the providers is the complexity of managing fraud on platforms like these. It’s hard to identify a problem when a bot logged into a real person’s account by using their real credentials. Fraud tactics such as anti-detection browsers make detection even more difficult without proper sophisticated bot mitigation. HUMAN's BotGuard for Applications is able to detect the most human-like bots looking to gain access to streaming platforms via user accounts. 

I’ve Had the Time of My Life

At the end of the day, having real humans listening to your music will always be the most beneficial. Just like when the PlayStation 5 dropped - you don’t want a fraudster to grab your game console as soon as it goes on sale just so they can make some extra money from reselling them. You want a fan to get the console, play it, and talk about it with their friends. Similarly, you want real people listening and enjoying music. Genuine popularity will always trump fake popularity. 

Since this discovery, I’ve changed my passwords across the streaming platforms I use. And I’d like to extend my sincerest apologies: I had no intention of making anyone believe that the Dirty Dancing soundtrack should enter the charts again. But as they say, nobody puts Baby in a corner.