Tough Luck: Using Network Traffic Analysis to Expose a Rigged Coupon Wheel-of-Fortune
While doing productive work on the internet like watching cats slap each other, I happened upon a company called Hush Blankets that creates weighted blankets to help with sleep and anxiety. What an awesome idea! I spent a couple minutes browsing through the website when — all of a sudden — a giant wheel of fortune came popping out of the left side of the screen.
“You unlocked a special bonus,” it proclaimed!
Gasp! The wheel was covered in coupons promising $10, $15, $20, $30, OFF— or even a FREE blanket! Considering that these blankets go for nearly $200 each, a free blanket would be pretty darn cool. All I had to do was enter my email and press the button! My mom always told me I was special. 😋 (I’m not sure who this “Ed” guy is though.)
“Okay,” I thought, “I have nothing to lose.” So, naturally, I entered a fake email address and hit enter. The wheel instantly came to life! It spun slower and slower until it began to get STUCK RIgHt ON tHe EdGE of “Almost” and “$10 OFF"!!…
gasp!!! I WON!
Or did I?
As both a software engineer and an entrepreneur, I know two things very well:
- Randomness (so called “luck” 🙄) and computers don’t mix.
- No company would ever give away a $200 product for free just because some lucky bastard clicked a button. Not if they can help it.
Needless to say, I was skeptical. I was also intrigued. I wanted to know how the wheel really worked. Was the prize predetermined? Could you really super truly win a FREE blanket?! I started digging.
Betting on my intuition that a blanket company wouldn’t code up a custom wheel of fortune just for coupons, I hopped right into the Chrome Debugger’s “Sources” section. This allows me to see all of the scripts currently loaded on the page. Glancing through the URLs, I quickly noticed one with the word “wheelio.” Hmm… wheelio… “wheel”… yeah, that seems like a good place to start.
Without even looking at the source code, I punched “Wheelio” into Google, and… oh. That was easy.
“They spin, you win.” That tagline doesn’t sit well with me. Feels kinda disturbing. Let’s dig deeper. Here’s an explanation on the website of why you should be using Wheelio:
Purchase behavior psychology is a strong thing…
People don’t really like easy free stuff. Not when it comes to coupons and usage of coupons. They need to feel like they “won” and the coupon was hard earned. When they feel like they have the upper hand, the usage of coupons is 10X higher than as of an ordinary coupon.
TL;DR: You click the button, it makes you feel like you’ve won, so you’re more likely to use the coupon.
Why does this feel emotionally manipulative to me? Back to that in a second. Let’s keep going, because I’m really eager to get my hands on a free blanket.
I was curious if the prize was determined in my web browser or on a remote server somewhere. Could I trick my browser into giving me any prize on the wheel? I figured that the best way to find out would be to monitor the network traffic. I refreshed the page and the data came flowing in:
I filtered down the results to only those that included “wheelio”:
Oh! A websocket? This means that the server and browser are having an ongoing conversation. Let’s listen in. 😈
Here’s what the server and browser are saying to each other. Most of these frames (messages) look pretty useless to me, but one of them is being cut off. Judging by the length, it probably contains some juicy details. A little copying there, some formatting here, and…
Check it out! This must be the information that is used to populate the wheel with all the labels, like “$10 OFF Coupon”. Not only can you see the labels, but you can see the coupon code and the “gravity” (i.e. probability) for each coupon.
Now about that free blanket… The gravity for the free blanket coupon is 0! That means you can never land on it! In fact, this is true of the $30 and $20 coupons too!
I even tried checking out with their respective codes: 000-000-000
, 30OFF
, and WELCOMEBACK
, but only the $20 coupon worked.
What really irks me is that they outright say “You have a chance to win up to $30 OFF.” This is a blatant lie. Not only this, but there is a progress bar on the popup which says “12 coupons left. Hurry up!”, but this number is hard-coded into the popup! It says 12 for everyone, forever! Another lie. 😡
So, back to the whole emotional manipulation thing. I fail to understand how a CEO could sleep at night knowing that they are purposely toying with their customers’ emotions by using these kinds of tactics. Not to mention that the target market for Hush Blankets may already be struggling with their emotions to begin with. A wheel of fortune is supposed to have near-equal probability for all landing spaces. Wheelio has intentionally designed this app to be rigged, and they boast about it!
Hush Blanket isn’t the only company doing this, either. Take a stroll through the over 350 reviews on the Shopify app page and you’ll find many many more companies using this tactic. Companies like Hey Casey! which lists a 20% off coupon with 0 gravity, or Wavy Prints which has a free print coupon with 0 gravity. Interestingly, whether by accident or not, Wavy Prints did not actually disable their free print coupon, so I took the liberty of ordering their largest print of Kanye Crossing the Alps:
Two days later, Wavy Prints took their website offline, presumably because they thought they were hacked.
Karma is a bitch.
Update Mar. 31, 2020: Privy Enters the Arena
Let’s shame another company! Today one of my readers came across a clothing company called Pearlfeet which uses a very similar coupon wheel. This one has options like “100% Off,” “Free shipping,” and more! However, what I quickly found out is that this wheel is rigged just like the rest. This wheel is not hosted by Wheelio like the other sites, instead it uses a new service called Privy, which also works on Shopify sites.
In this case, you enter your email to get spammed by their junk newsletter, and then the wheel always lands on the “10% Off” coupon. Check it out:
Once it’s done spinning, a “Thanks!” dialog box pops up with the code “PF10”:
I did some quick digging to see what was going on here. First of all, while I cannot view the coupon codes of the wheel since the developers of Privy were smarter than Wheelio and decided to keep that information server-sided rather than download it all into the client’s browser, I did notice that the returned prize had a win ratio of 1
(signifying a 100% probability that it will land on the 10% off coupon… typical) and even more interesting, the coupon code is “EXAMPLE,” not “PF10” like the picture shows.
So what does this mean? It probably means that none of the other coupons exist, and in fact I would bet that every slice of the wheel is filled in with “EXAMPLE.” It also means that “PF10” is hard-coded somewhere. I looked back at the metadata for the “campaign,” which is downloaded into the browser before you even get a chance to see the wheel, and this is what I saw:
What you’re seeing here is that the “Thanks!” dialog box from before has the code “PF10” hard-coded into it!
This is why the wheel has no actual coupon codes; because the code you get does not depend on the wheel at all. The wheel is just a fancy way to get you to enter your email and forever be bombarded with envelopes full of $#!&. Once that email is submitted and you’ve been entertained by the wheel, the 10% off coupon dialog box is displayed so that you can feel like you’ve won and need to use the coupon.
Very manipulative.