Signing up hundreds of participants to complete a research survey in just a few days is something that most researchers only dream of. One group at Pitt did just that after offering a $10 Amazon gift card incentive. Unfortunately, it was too good to be true. The researchers were the victims of a bot attack.

Under Attack

Bot attacks occur when hackers write a program that automates the process of accessing websites and accounts. You might not think $10 would be enough to attract their attention, but it’s the perfect scenario … a few lines of code and a hacker can sit back and rake in the gift cards.

The affected study immediately contacted Regina Stroud, executive director for information technologies in the Clinical and Translational Science Institute (CTSI), which manages the Pitt+Me Registry. Stroud and her team quickly realized that the hundreds of signups weren’t real. According to Brian Petersen, assistant director for IT application development at CTSI, “We hadn’t seen an attack of this magnitude before. We suspect that someone posted about the study on a Facebook page or Reddit thread and piqued the interest of hackers.”

The consequences of fraud in research studies are enormous, from improper incentive payments and the threat of losing grant funding, to reputational costs, people not participating, and the publication of fraudulent data. “There are already so many stigmas associated with research, and fraud has a domino effect that impacts everyone,” Stroud explains.

Mounting a Response

The impacted study was quickly shut down and the fraudulent responses manually identified and deleted. Then, bot attacks started targeting several other studies. The CTSI team came close to shutting down the entire Pitt+Me website but reached out to Pitt IT’s information security team instead.

Pitt IT Security recommended bot detection software that functioned at the gateway of the Pitt+Me server before a user ever gets to the site. It took about six weeks to gather and analyze the data necessary to fine-tune the software to flag fraudulent traffic and implement Captcha technology to weed out questionable logins. The software massively reduced fraud activity, and increased trust from research partners. “We have not seen anything like the magnitude of that attack,” Stroud says.

An Ounce of Prevention

Stroud, Petersen, and Pitt IT’s Scott Weinman all recommend that departments build security into their projects from the start. “Avoiding a major clean-up is worth a slightly longer startup,” Petersen says. Working with Pitt IT Security during the planning phase of any major public-facing IT project is step one. “We know that many security measures, like Duo prompts and Captcha tests, can be a little annoying, but they are the layers of protection that keep our digital assets safe,” Weinman says.

Hacking and fraud can happen to anyone, and preventing an incident is the ultimate win. Contact Pitt IT today for a security review of your planned project.  We are better, and safer, together!