Percentage increase in ad spending, compared to ad spending in 2014.These pay-per-install and pay-per-engagement ad campaigns allow marketers to track their return on investment (ROI) more accurately. Traditional advertising models based on impressions or clicks have long been plagued with spoofed traffic from automated software, with fraud reported to be as high as 80 percent. Now, by paying only when the app is installed for the first time or when a newly registered user launches the app multiple times, marketers effectively raise the bar for install fraud because it is much more difficult to spoof app installs or simulate active users. Not to be outdone, online criminals have quickly adapted to follow the money. After all, the average payoff for an install can be 430 times more than an impression. Online criminals deploy multiple advanced techniques to commit ad fraud, including:
- Malicious apps: Malicious apps can spoof legitimate apps (e.g., by modifying app headers to pretend to be a known legitimate app) to trick users into installing them. They then hijack the mobile device to download and install additional apps without consent from the user.
- Install farms: Human workers can be hired to commit install fraud by manually install/uninstall, launch, and interact with apps. Such human “sweatshops” (as shown in picture on right) charge app developers tens of thousands of dollars for a spot in the top app rankings.
- Mobile device emulators: Mobile emulators allows fraudsters to simulate a large number of distinct mobile devices on the same hardware. Each of these simulated devices can download and install apps while appearing as a new device.
Distribution of device models used in an install fraud campaign.The Rise of Engagement Fraud As marketers have grown less trusting of “per install” incentive ad campaigns, they have increasingly used campaigns that pay for active users rather than simply installs. However, fraudsters have been quick to adapt to exploit this compensation model as well. In a pay-per-engagement ad campaign for a mobile game app, the DataVisor team discovered thousands of fraudulent installs from residential networks located all over the U.S., where all of the users actively used the app multiple days following the install. This would appear to be legitimate activity, except that subsequent activities from those users were all from the same IP subnet located in Southeast Asia. For the two weeks following the initial install, all of those users consistently logged in every day, allowing the fraudulent ad channel to claim user acquisition fees for what were really dummy accounts.
Map of IPs from a distributed install fraud campaign. The installs were performed from IPs in the U.S., while subsequent user activities in the app were all from the same IP subnet located in Southeast Asia.The table below shows events logged by the game app for one of these fake users. The user installed the game app and registered for an account from the U.S., but subsequently logged in from an IP address located in Southeast Asia once per day over the next few days. It is likely that the fraudsters leveraged proxies for the initial install, such that they can pose as users from the targeted demographic in the U.S. The Ad Fraud Arms Race, and What You Can Do About It As advertisers and ad platforms adopt more sophisticated tracking technology and pricing models to drive performance, fraudsters are also becoming increasingly experienced at mimicking the behavior of real users to game the system. Compound this with the fact that fraudulent activities are often intermixed with legitimate activities, it means traditional fraud solutions that rely on IP/device reputation or blacklists are woefully ineffective today. But all’s not lost, and there are ways to fight back. App marketers should adopt a pricing model that matches their advertising goals. When mobile apps focus on user retention and other post-install activities, they are more likely to reduce the rate of fraud. In addition, seek advanced solutions that can adapt to constantly changing attack patterns. Ad fraud is a security issue coming from organized attack campaigns, and so should be treated accordingly – as more than a data problem. The real challenge is in distinguishing fraudulent traffic intermixed with legitimate activities, which requires not only big data tools, but also security domain expertise. With so much money to be made (and stolen) in the ad industry, fraudsters are going to continue to find ways to get paid. Make sure you’re doing everything you can so that their next payday is not on your dime.