Download Mobile Publisher Fraud

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts
no text concepts found
Transcript 
WHITEPAPER
Mobile
Publisher Fraud
Four Ways Mobile Ad Campaigns Suffer
from Fraud and How We Can Eliminate
Them, for Good
Examining patterns of fraud in the
mobile ad space
Mobile ad fraud is a multifaceted issue: it’s
the investigation we identified and targeted
difficult to identify, and once advertisers
specific types of fraud affecting marketers’
are victimized, it’s often even more difficult
user acquisition budgets. Specifically, we
to prove that any of the numerous forms of
investigated forms of fraud exploiting CPI and
traffic tampering occurred in the first place.
CPA advertising schemes. Each form varies
As the mobile economy continues to flourish
in its complexity and methods for targeting
and experience rapid growth, it seems that
user acquisition campaigns, but the result is
fraud is expanding and evolving alongside it
still the same: marketers pay for fraudulent
rather than being preemptively eliminated by
activity.
technological advances.
In the following paper, we identify 4 basic
Over the course of the last several months
forms of fraudulent activity and standard
adjust’s teams of data scientists and fraud
industry solutions – and then suggest a
experts have been pouring over extensive
variety of preventative measures we believe
data sets in order to identify key patterns
should become the new industry standards.
signifying fraudulent behavior. Throughout
MOBILE PUBLISHER FRAUD
2
4
Forms of ad fraud targeting
user acquisition campaigns
Faulty Targeting: generates clicks
and installs from untargeted and
unwanted users
traffic is then sold to the advertiser, and
Publishers
In its most benign forms, this is simply an
are
unable
to
tamper
with
advertisers pay for overpriced or valueless
traffic.
information such as a user’s country, device
innocent
mistake
of
inaccurate
location
type or time of conversion: at the moment
targeting or data on the publisher’s side. In
a user clicks on admedia, the information
its more malicious form, however, it is the
passed is shared solely between the user and
irresponsibility and even greed of knowing
the attribution solution being used. However,
players who are unwilling to implement
ad networks can’t always make sure their
responsible methods to monitor poor traffic
publisher sources are correctly targeting the
sources, and are unfairly charging advertise.
correct countries – and often times, even
when a publisher’s targeting is correct there
are a number of ways things can go wrong.
Faulty targeting refers the traffic that comes
Automating User Activity: fakes
installs on simulated devices
from mistargeted countries or device types –
sometimes up to 6%.
Automated user activity refers to the simulation
of entire devices, the same way they would
Marketers are most vulnerable when networks
be in a development environment. Clicks,
charge on a country tier model: essentially, a
installs, sessions, and in some occurrences
network determines how valuable countries
even in-app user behavior are then triggered
are and then develop a hard-tier payment
endlessly by server-side software.
structure.
Advertisers
are
charged
for
campaigns according to which country they
The
amount
of
capacity
required
to
tell the network to target.
successfully run such an operation requires a
facility able to house and power the necessary
Meanwhile, mistargeted users are acquired
equipment. As a result, this scheme is most
in untargeted markets on a lower (or non)
commonly run out of data centers, where
payment tier; in the case of mistargeted
these reams of falsified activity are produced
device types, the advertised product may not
at scale daily.
even be fully available to users of mistargeted
devices. As a “bargain,” the resultant subpar
MOBILE PUBLISHER FRAUD
3
Poaching Organic Installs with click spam and pre-loading ads
Often
optimistically
rebranded
as
“pre-
an app or inventory – all by random chance
loading” clicks, background click fraud poaches
alone. Under this model, a percentage (for
organic users: fraudsters essentially carve out
some apps, the percentage is quite substantial)
a piece of an app’s organic user base and
of the users who organically installed will
claim it as their own. On the fraudster’s end,
have unknowingly had an ad served. In the
this is essentially a game of random chance.
end, advertisers pay a CPI to a performance
As users run an app or browse a mobile site,
channel for organically acquired users who
numerous – oftentimes hundreds – of ads are
were never served a visible advertisement.
being served in the background and executing
clicks, entirely out of sight. In the in-app or
native ad space, this is generally referred to
as “pre-loading.” In mobile web, it is referred
to as click spamming – when a click devoid
of human interaction executes an invisible
redirect.
In contrast to pre-loading clicks, pre-cached
ads are a common way to spare a user’s data
plan and offer an enhanced user experience
in ad delivery:
admedia is cached while a
user’s device is on wifi in order to shorten
the load time for creatives, allowing users
to access admedia instantaneously once on
a mobile connection. However, there is no
justification for pre-loading the click logic,
which takes only milliseconds to execute or
can be executed in parallel with redirecting
the user to the app store.
Pre-loading or click spamming create the
opportunity for device ID and fingerprint
spamming: sending a myriad of background
clicks for a multitude of offers from as many
devices on the market as possible. This will
net fraudsters the sufficient monetization of
MOBILE PUBLISHER FRAUD
4
Faking SDK-Triggered Installs: driven via fraudulent HTTP calls
HTTP is an application protocol running a
partners who aren’t properly encrypting their
request-response protocol: each time you’re
data, and then use this information to spoof
using the Internet, your device is continuously
SDK-transmitted install data.
communicating with another device to send,
request and receive the data required for
If the network is not properly secured,
browsing the web.
fraudsters
can
to
installs:
spoof
target
these
once
weaknesses
fraudsters
have
identified the key components of a platform’s
…& i d f a =A E B E 5 2 E 703EE-455A-B3C4E57283966239…
communicative structure, they can poach
essential install attribution information –
which, depending on the attribution solution,
can include information like the Bundle ID
and campaign parameters – and use this to
spoof an SDK-transmitted install by passing
URLs with modified campaign and device
1 0 0 10 1 0 11 0 1 11 1 0 1 0
0110 011010 010110
010 010 0110 0101111
parameters. Thus, advertisers are charged
for installs at the fault of irresponsible and
undersecured service providers.
HTTP is what makes the Internet great –
­
in fact, it’s what makes using the Internet
possible. At the same time, it’s not a perfect
system. HTTP isn’t encrypted, so information
passed between one device and another is
fully readable if somebody wants to do so
badly enough. The data passed back and
forth between parties can be intercepted
if networks and partners aren’t using an
encrypted HTTPS connection.
To fake an install via a falsified HTTP request,
a fraudster simply has to learn the HTTP
query pattern of networks and tracking
MOBILE PUBLISHER FRAUD
5
Prevention, not detection, is the key
to fighting mobile ad fraud
In
recognition
of
fraud’s
continued
the industry should instead approach the
pervasiveness, “fraud detection” has become
problem from the other end of the funnel: by
an industry buzz term, with numerous,
preventing it. By wholly eliminating attribution
reactive solutions proposed to bring its end.
for untrusted, sub-par and tampered traffic,
But detection deals with the wrong end of the
the industry can significantly reduce and
problem. By the time fraud is detected, the
eliminate several forms of mobile ad fraud.
money invested has already been spent – and
even worse, the subsequent campaign data
There is something to be said for the
is distorted, resulting in anomalous campaign
complexity
data and perverting its usefulness for future
preventative tools to eliminate fraud may
campaign
This
seem entirely unrealistic, but how many
results in advertisers dealing with corrupted
fraudsters are actually good at what they do?
campaign data and lengthy arguments about
The vast majority depend on the inaction of
chargebacks – and in these situations, the
the industry and the difficulty in identifying
best case scenario is that advertisers will have
fraudulent behavior after the fraud has
their money refunded following several weeks
already been committed.
optimization
and
spend.
of
the
given
task.
Creating
of investigations and filing. Thus, it is illconsidered to focus on only detecting fraud.
The following are current industry solutions
to the four forms of fraud we outlined above,
To remove this burden from the advertiser and
in addition to our suggestions for standard
to discourage fraudulent activity in general,
preventative solutions.
MOBILE PUBLISHER FRAUD
6
Corresponding Reactive Solutions and
Alternative Preventative Approaches
Eliminate the issue of faulty
targeting by denying attribution
for non-targeted countries
from a user not matching the targeting
criteria will not be attributed.
Publishers are subsequently incentivized
The simplest way to keep advertisers from
to target correctly, and advertisers are
being affected by malicious forms of faulty
released from the burden of
targeting is for attribution solutions and
attribution for installs that don’t match
networks to work together to eliminate
to the agreed criteria. This means they
the problem.
no longer need to sort out after the fact
paying
and recalculating payouts or requesting
End faulty targeting problems by
refunds from their networks.
changing pricing models and denying
attributions
Networks should implement a simple
Stop simulated device fraud by
setting up an IP blacklist
pricing solution: instead of adapting
tiered pricing campaigns, advertisers pay
Simulated device fraud has one major
CPIs on recognized install country instead
problem: the IPs associated with the
of campaign targets. Advertisers then
traffic are identifiable.
give networks a list of countries they
are targeting for their user acquisition
Common strategies for detecting geo-
campaigns and negotiate a separate CPI
spoofed fraudulent activity
for untargeted countries.
Any activity registered from networks
Attribution services can also mitigate these
associated with data centers would be
circumstances by allowing advertisers
easy to identify. Payouts are subsequently
to whitelist the users they are targeting
at risk; thus, this forms of fraud depends
within
on geo-spoofing to decrease chances of
their
attribution
platform
–
attributions from only targeted countries
discovery.
or device type can match, and any install
10110
MOBILE PUBLISHER FRAUD
7
Geo-spoofing is difficult to mitigate via
Thus, a vigorous cross check of all
reactive
industry
incoming installs for IPs belonging to
practices favor an extensive, manual
data centers, VPNs, Tor exit nodes, or
approach: identifying this behavior by
server endpoints can eliminate forms
combing through weeks of exported data
of
to search for clusters of IP addresses and
smartphone’s IP is either drawn from their
subnets that belong to data centers or
carrier’s IP pool, or from the IP of their
anonymizing services.
wifi ISP; in contrast, servers have fixed
solutions.
Standard
geo-spoofing
fraud.
Generally,
a
IPs. Attribution services can exploit the
With this manual analysis approach, the
differences between IPs associated with
industry largely places the onus on the
mobile devices and IPs associated with
advertiser to recognize the potential for
fixed, commercial installations. Any install
fraudulent behavior to have occurred,
coming from an IP address associated with
and occasionally advertisers must even
the aforementioned services should be
investigate the relevant data themselves
rejected – blocking the faulty attribution
or entrust their data to a third party.
before it happens.
Additionally, should the advertiser request
an investigation, the volume of data
needed for proper identification is so
great that weeks of data are required to
Prevent poached organics with
statistical modeling.
commence one.
The issues stemming from of pre-loading
Stopping geo-spoofing in its tracks
and click spam can be alleviated by
with preventative measures
creating an attribution model based on
gathered click-to-install data.
Preventing fraudulent activity masked with
geo-spoofing is as simple as blacklisting
IPs – it is so simple, in fact, that it should
be an industry standard.
While services like VPNs and Tor have
a variety of uses, it is unusual for them
to be associated with a mobile device –
so it makes very little sense for mobile
installs to be reported from fixed subnets
associated with a data center or hosting
server. Such activity is generally indicative
that the install was simulated.
MOBILE PUBLISHER FRAUD
8
Common strategies for detecting click
advertiser request the review – they must
spam and pre-loaded ads
also provide drastically large amounts of
data in order for an examination to even
Tactics
generally
anomalous
rely
on
identifying
click-to-install
be possible.
time
distributions. For instance, in reviewing our
Preventing organic installs from being
data sets, we determined the anomalous
poached
click-to-install time distributions indicating
background clicks: since sources exploiting
First, a rigorous fingerprinting scheme is
click spam and preloading scams can not
essential for preventing exploitation. In
influence the time at which a user actually
attributional terms, “fingerprinting” is a
installs, the result is a flat distribution of
fallback attribution method: by matching
installs over time. In contrast, campaigns
a variety of characteristics between click
receiving traffic from genuine advertising
and install, a specific click can be matched
activities have an inversely exponential
to a specific install as long as it occurs
click-to-install time distribution.
within a specified attribution window.
The stricter the fingerprinting scheme,
This difference is caused by click spamming
the harder it is for fraudsters to tie faked
and pre-loading, which leads to installs
clicks to organic installs (in adjust’s case,
being
our fingerprinting scheme includes five
poached
at
random
intervals.
What should have been an organic install
data points for secure matching).
is instead attributed to a paid source,
sometimes days later depending on the
Additionally, the industry can build tools
advertiser’s
and
to identify anomalous click-to-install time
the frequency of the click spamming.
distributions before the fraud occurs,
However, the vast majority of ­­real users
rather than reviewing the data for such
install an app almost immediately after
patterns after fraud is suspected. In
clicking on an ad and being redirected to
our research, we constructed a profile
the applicable app store.
identifying the key differences in click
attribution
window
frequency, conversion rates and clickCurrent industry practices favor finding
to-install time distribution for genuine
patterns like the one above via manual data
traffic and for click spamming campaigns.
investigation, and once more, the onus
Distribution Modeling uses a slightly more
is placed on the advertiser. Advertisers
complex version of these findings as the
must sift through suspicious-looking data
basis of how it detects this activity, and
and, in some cases, pinpoint the source
then subsequently registers outlier installs
themselves before submitting it to their
as organic installs.organic installs.
network to review. And not only must the
MOBILE PUBLISHER FRAUD
9
Block opportunities for fraudulent HTTP calls by securely
transmitting data.
Stopping fraudulent HTTP calls simply
shared secret for traffic verification will
requires
implement
further secure your data – in adjust’s case,
proactive measures implemented across
our SDK relies entirely on a compiled
the board.
shared secret to verify your traffic: your
the
industry
to
app token.
Prevent tampered HTTP calls
The
First
and
foremost,
the
shared
secret
principle
is
a
encryption
cryptographic method that ensures the
of all data transmitted is incredibly
integrity of your communications by
important. You can do this by ensuring
authenticating the transmissions between
your SDK transmits all data with SSL
communicating parties, such as an SDK
(Secure Sockets Layer) encryption for
and a server. This means that without your
all traffic. SSL is a security protocol that
app token, spoofing traffic is impossible;
facilitates safe communication between
this, along with SSL encryption, virtually
client and server, and is signified by the
eliminates the threat of false HTTP calls.
presence of HTTPS (versus the standard,
unencrypted HTTP) in a URL. An SSL
certificate signifies that the data will be
fully encrypted before being sent to the
recipient, who is then the only party
capable of decrypting and processing the
data. SSL is the most common form of
encryption on the web: when you send
credit card or other sensitive data through
a website, it will transmit the data with
SSL encryption to prevent it from being
read by a third party.
However, SSL won’t help much if your
http://
analytics solution relies on poachable
information like publicly viewable bundle
identifiers. Thus, the introduction of a
MOBILE PUBLISHER FRAUD
https://
10
A Call for Industry Responsibility
There are a variety of strategies key industry
seeing the industry evolve alongside us to
players can employ to dramatically reduce
fight fraud in the coming months.
and even eliminate user acquisition fraud.
However, attribution solutions alone cannot
Notably, third party attribution solutions
singlehandedly eliminate fraud from the
(like us) stand between the advertiser and
mobile ad ecosystem: to effectively stop
network or publisher, giving us a unique
fraud from being profitable, the industry
opportunity to create tools and features
itself needs to move towards responsible
capable of mitigating the effects of fraud.
traffic filtering as a whole – which is
As a result, we believe our role as an
why we encourage all industry players to
unbiased third party requires us to assume
work to develop the tools necessary for a
a regulatory role and act in the interest of
healthy mobile ad economy.
the mobile advertising economy’s future.
It is arguable that as long as there is
In adjust’s case, we recently rolled out our
money to be made there will always be
new Fraud Prevention Suite, which uses
fraud. Call it realism, call it a symptom of
a handful of the tactics above to fight
the market, call it whatever seems right –
user acquisition fraud. As we continue to
all that matters is that we as an industry
expand the program, we look forward to
will finally takes responsibility.
MOBILE PUBLISHER FRAUD
11
www.adjust.com
MOBILE PUBLISHER FRAUD
12
Related documents
Consumer Fraud
Consumer Fraud
A large number of problems in data mining are related to fraud
A large number of problems in data mining are related to fraud
Consumer Advisory
Consumer Advisory
Chapter 18
Chapter 18
Locking down your web storefront
Locking down your web storefront
ANALYSIS ON CREDIT CARD FRAUD DETECTION METHODS
ANALYSIS ON CREDIT CARD FRAUD DETECTION METHODS
Big Data A statistician`s perspective
Big Data A statistician`s perspective
Abstract
Abstract
Distributed Data Mining in Credit Card Fraud Detection Large scale
Distributed Data Mining in Credit Card Fraud Detection Large scale
Is Your Business a Sitting Duck? Stop Fraud Before it Happens
Is Your Business a Sitting Duck? Stop Fraud Before it Happens