Hacker uses bots to top music charts, bumps P!nk, Nicki Minaj

A Melbourne security professional has sent ear-piercing 'garbage' tunes to the top of online music charts by spoofing track plays.

Linked gallery: Ruxcon 2013 photos #ruxcon

Despite that Peter Filimore (@typhoonfilsy) has never played an instrument, in a month he accrued hundreds of thousands of plays for his tunes hosted in online music charts, trumping artists like P!nk, Nicki Minaj, Flume and chart topper album The Heist and making $1000 in royalties in the process.

A now dormant artist account he operated has received nearly a million hits.

Rather than spend years practising an instrument and writing songs, he compiled music from clunky electronic MIDI files and later by applying algorithms that squashed together public domain audio.

He then purchased three Amazon compute instances and wrote a simple bash script to simulate three listeners playing his songs 24 hours a day for a month.

Filimore wasn't bothered when online listeners dubbed the tunes "rubbish", "horrible" and of a quality perhaps only appealing while "on cocaine".

Rather, the payments security expert was curious whether fraud detection mechanisms were used across music services like Spotify, Pandora and CDBaby.

"I'm not a musician," Filimore told SC at the Ruxcon security event in Melbourne this week. "But I kept hearing that artists were going broke and wanted to look into it."

"As it turns out, you're doing it wrong if you want to make money in music by being a musician."

He began to test the services earlier this year by uploading the awful audio to a variety of streaming music services.

While Telstra's MOG and Spotify would both ban his account early in his research, Filimore suspected the crackdowns were not automated. For the former service, his 1200 plays would have been easily detected as relative high traffic, while Spotify users likely would have reported the apparently popular yet shrill MIDI tunes to site administrators.

Filimore then compiled the tunes from public domain works using Wolfram Alpha and created an album dubbed Kim Jong Christmas.

The new music appeared less obviously-fraudulent than the MIDI tunes but still failed to attract fans despite its fusion of festival carols and blasting 90's techno.

"Loops, poorly mixed sound resulting in distortion, cheesy horrible samples; it might sound good on cocaine like when it was made, but this isn't music," one reviewer wrote.

"There's ain't no party like a Korean Worker's Party. But seriously, what the hell is this doing on high rotation?" another said.

For a total cost of about $30, Filimore was able to gain a slow trickle of royalty payments from the fixed resource pool that online streaming services used to pay the many thousands of artists for the clicks their tunes generate.

His work was possible he suspected because the services lacked automated analysis and instead relied on user reports to detect fraudulent music.

Suspension notices said only that his accounts breach terms of service and Filimore did not receive responses to requests for more details.

This he said created an opportunity for artists to "DDoS" rival musicians off the streaming networks by directing fraudulent clicks from attacker-controlled cloud computing instances to the targets' tracks.

An attacker then posing as a listener could then report what appeared as fraudulent plays to the streaming service administrators who would ostensibly suspend the account without providing further information to the victim artist.

While the research was a small-scale demonstration designed for Ruxcon, Filimore said it could be easily scaled-up by adding more cloud compute resources that would generate thousands of dollars in fraudulent royalties.

Filimore had seen only one other would-be muso who appeared to be scamming royalties under the name 'Scam Artist'.

Copyright © SC Magazine, Australia