How Spyke Media is Detecting Fraud

1

Frank is the organizational head of German mobile investor and incubator Venista Ventures and its spin-offs focusing on mobile products and related services. He currently holds the position of COO at Venista and, in parallel, is the managing director of Cologne-based mobile marketing specialist Spyke Media. He has gathered years of experience in managing positions in the mobile industry, overseeing international expansion as well as the establishment of international affiliate programs. Prior to entering this sector, Frank had studied information systems and worked several years as a manager in logistics and supply chain management.

FM

We defend our mobile territory

When an industry becomes successful and meaningful, this often leads to an unwanted development. It happened to almost any innovation. Any time a product or a service revolutionizes old patterns, a small number of people look for their shady niche and try to benefit illegally . In most cases, the pioneers and drivers of such an industry will start fighting for what’s their cause and the right one.

fraud_tool_screen1

This intro may seem a little far-flung, but this comparison did come to our minds when we first sat down in order to fight fraud activities in mobile performance marketing back in 2013. We could’ve just moaned about it, but we took on the challenge and decided to tackle these threats to our business head-on. In order to fight fraud together with other players and in a transparent manner, we have now come up with an own fraud detection process and a complimentary tool to discover fraudulent activities. Looking at the patterns that we see, we categorize fraud by three different types.

Click fraud

The first type is what we call ‘click fraud’, which is really not a very big nuisance for our business because we are a performance-based agency. Nevertheless, we had some cases in the past where this kind of fraud made us buy traffic on a CPC-basis and which we could never monetize.

But let us explain: When talking about click fraud we speak of bots generating a tremendous amount of clicks. Naturally, these clicks will never result in a conversion because it is only click-based fraud. If this occurs, we see such low conversion rates that we would dismiss this traffic source anyways, because we are looking for traffic that fits the demand of high standards from our advertisers. Detecting this kind of fraud seems quite easy because of the unusually low conversion rates, so we won’t focus on it in this piece.

Tricked conversions – clickjacking and cookie dropping

The second type we identified has the potential of becoming a real problem mainly to mobile subscription services but also can be a threat to app promotion: these are the so-called ‘tricked conversions’. There could be two ways of getting a user to trigger a paid conversion without his knowledge.

The first one is the common phenomenon of clickjacking. In this case fraudsters implement iframes on JavaScript-enabled mobile services/sites. These iframes put an overlay onto the actual site you are on. This can trick you into clicks based on the promise of some gifts or other claims which disguise that you are opting into a subscription model. Sometimes these iframes only hide parts of the actual service like details about pricing and contract period of this particular mobile service. These overlays lead to clicks and opt-ins for subscription models a user never knew of. An easy way to fight off such clickjacking activities could be to disable the JavaScript and therefore disallow iframes to load in front of the real landing page. Unfortunately, fraudsters found a way to work around such measures.

In terms of cookie dropping the user is not actually tricked into a conversion. It is always the users’ intention to download the app, but this isn’t triggered  via a direct click on a paid creative, but by other ways. To specify: Cookie dropping – in mobile terms rather called “fingerprint steeling” – means that some publishers lead the browser to believe that a user has clicked on a banner. Then the site behind this banner is leaving a tracking-cookie or is registering the fingerprint of the user’s device in order to maintain the info that the user came from that publisher’s mobile site. Now, the users won’t actually be forwarded to the advertiser’s site because they never actually clicked the banner. But if it happens to be that they somehow access the advertiser’s site through other channels like word-to-mouth, Google Search , or because they saw a TV ad, the advertiser will recognize the cookie/fingerprint that was dropped and will pay the agreed commission to the publisher who left it there regardless of the user’s will. So this is basically a real conversion where only the starting point is based on a fraudulent activity and might only work well with really big and popular campaigns and apps.

Fake installs fraud

The third type of fraud we’d like to discuss is the most common fraud version where people or bots fake actual installs. This form of fraud is the main reason why we decided to build a complimentary tool visualizing crucial data with the goal to indicate and easily spot install fraud. The first thing we always look at – which might not even be breaking news to you – are conversion rates. Unusually high conversion rates should always make you wonder whether all these installs came organically or from bots or people who are doing nothing besides of triggering installs with several devices during their workdays. Yes, this might sound strange but there are actually some ‘install farms’ where people create conversions for a living.

fraud_tool_screen2

Click time to conversion time differential

If the conversion rate looks somehow suspicious you should have a closer look at the data. We have found out that the time difference from click to an actual install is a good indicator to look at. Usually it takes different users different time frames from a click to an install. This is a result of different internet connections, devices, or even user behavior as some people do not open an installed app directly after the download. Remember an install is only measured when the app is opened for the first time. So if you can see an absurd number of conversions which happen to share the exact time frame between click and install, this might be an indicator of fraud.

More parameters to be aware of

If the click time to conversion time differential shows no indication of fraud but you are still wondering why the conversion rate is so high, you should also look into the IPs your installs are coming from. An IP doing 10 installs or more is highly unlikely and – if present on a list of  known botnets – a clear indicator of fraud.

Adding to this you should also have a look at the ISPs your installs are coming from. For instance, in Germany there are three major mobile networks, Telekom, Vodafone and O2/E-Plus as well as a handful of bigger landline ISPs. If there is a big amount of conversions coming from ISPs with different names you might want to check it. We had some cases where the conversions came from a ISPs, which were known server hosting companies. This is a clear indicator of fraudulent conversions.

One last thing you could check are the user agents the conversions are coming from. A user agent is composed of the used mobile device, its software version as well as the browser the individual is using. So if there is a campaign showing that the majority of installs are coming from a few specific devices, e.g. 30% of conversions from a Samsung Galaxy 2, this might also be fraud. People tend to have a new phone almost every two years.

Remember,, these anomalies should always be significant so that you can extrapolate from them to fraud. Luckily in most cases you see a combination of the patterns mentioned above. If a bigger portion of conversions from Samsung Galaxy 2s is coming in every 20 minutes with very similar timeframe between click an conversion you can be quite sure that you are looking at fraud.

fraud_tool_screen3

Fraud detected – and now?

In the paragraphs before we showed you how Spyke Media detects fraud and what we do to discover clear indicators in order to solidify our suspicions. The question is: What are we doing if we detect such patterns? It doesn’t happen often, but it needs to be addressed as quickly and urgently as possible to prevent a broken-window effect. The first answer is pretty simple. Our account managers contact the traffic source and make a case that the traffic coming from this particular affiliate looks suspicious to us. If the publisher denies our accusations we present him a deep look into our visualized data to confront him with our evidence and data. At this point publishers either need to have a convincing explanation or they might fold and admit that they were trying to deceive us. The usual procedure after we have established his points to be wrong and his behavior to be fraudulent  is to block his account and end the business relationship with him immediately, always with the option to push legal procedures.

This leads back to the beginning where we talked about new industries getting bugged by people who are trying to benefit from betraying consumers on the back of a game-changing technology. Yes, they might find a way to do that for a while, but in the end the people who are fighting for a good cause will always find a way to fight back, detect such behavior and prevent these guys from discrediting a whole industry. We have taken on this task as a high priority and welcome everybody who wants to join the fight against the fraudsters.

Get in touch with us through fraudprevention@spykemedia.com.