Social Manipulation of Online Recommender Systems Juan Lang and Matt Spear and S. Felix Wu University of California, Davis jilang@ucdavis.edu, batman900@gmail.com, wu@cs.ucdavis.edu Abstract. Online recommender systems are a common target of at- tack. Existing research has focused on automated manipulation of rec- ommender systems through the creation of shill accounts, and either do not consider attacks by coalitions of real users, downplay the impact of such attacks, or state that such attacks are difficult to impossible to detect. In this study, we examine a recommender system that is part of an online social network, show that users successfully induced other users to manipulate their recommendations, that these manipulations were effective, and that most such manipulations are detectable even when performed by ordinary, non-automated users. 1 Introduction Recommender systems are a common component of the online experience to- day, helping users find interesting content on sites like Slashdot and Digg, as well as guiding buyers to items on sites like Amazon, or to sellers on sites like eBay. Because a high rating confers advantages to the rated item or user, it’s unsurprising that manipulation of recommender systems is a common problem. Most existing work has focused on detecting automated shill attacks. Detecting such attacks is certainly necessary, and in some settings, only wide-scale auto- mated attacks are likely to be effective, e.g. when the rating an item receives is unbounded. For example, on eBay or Amazon, a purchaser may wish to choose not just the most highly rated seller or item, but the one with the most posi- tive interactions. In such a setting, an attacker would need to create not only many positive ratings, but also to refresh them. Nonetheless, there are many settings in which ratings are bounded, e.g. the top rated items of the day, or the most popular item in a group. Alternatively, we could assume that existing shill detection and prevention techniques have removed automated attacks, and only social engineering attacks are possible. And in fact, documented attacks on eBay suggest that social engineering attacks have taken place 1 , while on Amazon at least one publisher attempted to engage in such an attack 2 . Given that social engineering attacks have taken place, we wish to ask, are they effective? That is, do they result in any advantage to the attacker? And, are they detectable? 1 http://www.auctionbytes.com/cab/abn/y03/m09/i17/s01 2 http://www.insidehighered.com/news/2009/06/23/elsevier