Technology has transformed the music industry by facilitating its reach across geographical locations, which in turn has increased sales. It is a win-win proposition for both artists and consumers, as artists can earn money from their music being streamed while consumers get to enjoy their choice of music anywhere without the need to download anything.
On the flipside, technology has also enabled music streaming fraud where bad actors use illegal means to profit from the hard work of the artists.
Music streaming fraud refers to the manipulation of music streams to artificially inflate views, followers, and sales for monetary gain as well as to increase popularity on music charts. It is also known as music streaming manipulation, abnormal music streaming or store-end fraud.
Bad actors exploit streaming platforms by fraudulently generating streams whereby songs are played repeatedly, but not by real consumers. Attackers use account takeover and fake account creation for music streaming fraud. They use these accounts to sell the playlists, pay for playlists and followers, and influence the playlist or the content of the playlist for music streaming fraud.
To achieve scale and increase profits, bad actors use bots that illegally play the songs over and over again in order to make them popular. Bots are also used to inflate followers, downloads, and place songs on playlists and so forth.
All these activities can adversely impact the streaming data and royalty commissions, causing loss of revenues to music streaming platforms, sabotage an artist’s career, and skew analytics used for marketing purposes.
What is music streaming?
Music streaming is the broadcast of music content (live or recorded) delivered to users’ devices through the internet. This makes it possible for artists to transcend geographical boundaries and reach a larger, global audience, thereby improving their earnings. Music streaming also provides upcoming artists with an opportunity to make a mark for themselves.
For consumers, music streaming means access to a vast selection of music, the ability to create their own playlists and even listen to music that is no longer reprinted. Music streaming also eliminates the need for users to download content, which means they don’t need to clog their device storage.
Causes of music streaming fraud
Considering the phenomenal growth in the number of people using music streaming services (and the growing revenues) bad actors use every opportunity to profit from this rising popularity.
The most common loophole they are exploiting to execute music streaming fraud is the use of weak and repurposed passwords. A majority of consumers, today, have multiple accounts across digital channels. To avoid the inconvenience of remembering passwords for every single account, they tend to create passwords that are easy to remember and often use one password for many accounts. When attackers access stolen credentials – such as through data breach or web scraping – they can arrive at valid username-password combinations using a number of techniques, namely: credential stuffing, password spraying, brute forcing, and so forth. They can even buy valid credential combinations from the dark web.
Using these valid credentials, attackers can successfully authenticate across several accounts and abuse both free and paid subscriptions to artificially increase the streams of particular music. More the streams, the higher the payout for the artist. Outsourcing services (or streaming farms) are often hired to bloat the streaming numbers, and hence the revenue.
Impact of music streaming fraud
Since music streaming fraud misrepresents the consumer data, it affects data analysis, which in turn can affect budget allocations, advertising spends, and go-to-market strategies.
Music streaming fraud impacts the popularity of an artist by presenting a distorted picture. Streaming platforms can take strict action against artists, including complete removal of their music, if they are found to be involved in music streaming fraud in any way. This means affected artists will no longer be able to earn money or distribute their music.
Streaming platforms also risk non-compliance to the terms of their agreement with the content owners, which harms their reputation.
Techniques used for music streaming fraud
There are several techniques that attackers use to execute music streaming fraud. Automated bot attacks are the most commonly used technique as it allows attackers to quickly launch attacks at scale and with the least possible investment.
Here’s a look at the most common methods used for music streaming fraud:
- Bots: Attackers use automated software and scripts to generate streams, artificial views, and fraudulent interactions, across several platforms round the clock to significantly increase the volumes of fake consumers.
- Streaming farms: By outsourcing music streaming fraud activities to actual humans – also called fraud farms or click farms – attackers can circumvent defenses meant to catch bots and other automated scripts. These services are available easily and cheaply, and usually offer their services under the guise of marketing to improve promotions for the artists. They, however, use unethical means to get the artists an unfair advantage over the ones who play by the rules. This can result in genuine artists losing audiences and revenues.
- Account takeover: Attackers use stolen credentials to take over genuine accounts which are then used to artificially increase views, likes and ratings. The accounts with paid subscriptions can be sold illegitimately or at heavy discounts to third parties for quick money.
- New fake account creation: New fake accounts are used to generate fraudulent streams and inflate play counts.
- Fake music: Attackers pose as genuine artists and upload pirated or fake versions of songs under different names to cash in on the popularity of the artists, which diverts streams and causes financial losses to the artists.
Detecting music streaming fraud
Music streaming fraud costs platforms millions of dollars every year. It also harms artists and consumers, and causes reputational damage for the streaming platforms.
It is incumbent on music streaming companies to secure their platforms against attempts to fake streams and inflate like or followers. As with any other threat, it is important to stay vigilant and spot anomalous patterns and telltales to be able to accurately detect music streaming fraud early in its tracks.
Some of the common red flags that indicate a possible music streaming fraud are described below:
- Suspicious playlists that mimic playlists on popular music streaming platforms but generally have an unusually high number of likes and song count.
- Artificially inflated streaming numbers
- A script or bot controlling an account or a group of accounts
- A specific account playing a song throughout the day
- The reference ratio of monthly listeners to active users is high
- The top cities list where a specific song is played is unusual or unlikely
- A randomly recommended artist which is unrelated to the playlist and skewed in favor of the artist being promoted by bots.
Measures to stop music streaming fraud
Stung by the growing incidences of music streaming fraud, streaming platforms are taking stringent steps to contain the menace. They are removing content and artists that are found involved in falsely padding up streaming numbers.
- Following an industry-wide code⁵ to monitor and stop fake music streaming, although the ‘code’ is not legally binding.
- Leveraging technology such as machine learning algorithms to identify manipulation attempts.
- Scan playlists to identify fake artists
- Using tools to ascertain the legitimacy of the uploaded music.
- Reviewing suspicious streaming numbers
- Using anti-bot solutions to detect and stop bot activity.
- Cracking down on fake new account creation and account takeover attempts.
- Requesting users to reset passwords of seemingly compromised accounts.
- Sharing information on suspicious accounts and known criminals.
Fight music streaming fraud with Arkose Labs
Evolving customer behaviors and use of multiple devices can result in categorizing legitimate users as risky. Therefore, instead of outrightly blocking suspicious users, Arkose Labs triages incoming traffic and uses several parameters to assess the risk associated with each user. Risky users are then engaged in interactive challenges – Arkose Matchkey – which genuine users find easy and fun to solve.
This is because Arkose Matchkey is a comprehensive collection of 3D challenges and comprises several versions of each challenge. Arkose Matchkey challenges wear out attackers trying to automate the solution for each challenge. This delay in solving the challenges at scale and the need to spend more effort and resources erode the profitability of the attack, making it economically non-viable and forcing attackers to move on for good.
Arkose Bot Manager comprehensively blocks bots helping music streaming platforms protect their platforms without impacting good customer throughput as each and every user gets an opportunity to prove their authenticity. This ensures music streaming platforms do not lose out on potential revenue-generating customers.
Further, Arkose Labs provides 24x7 support and shares raw signals and actionable insights with security teams to help them fight evolving attacks – whether they are powered by bots or streaming farms – ensuring long-term protection against music streaming fraud, while maintaining a superior user experience for genuine customers.