The cybersecurity industry talks a lot about the sheer number of threats, but it’s not just a matter of quantity. In the mobile ad world at least, it’s easy to overlook just how sophisticated the operations of fraudsters have become. Not only are individual attack methods increasingly complicated and cunning, but the different fraud techniques often combine to make it harder to detect. In this post we’ll break down five of the more sophisticated techniques.
Click Bot/Click Fraud
Click fraud uses malware infected devices such as phones to make fake visits and clicks on ads. Fraudsters use all manner of tricks to get around attempts by advertisers to spot this scam. Specially designed malware can use ‘random’ delays and fake finger movements to better simulate a real human clicking an ad. Normally advertisers are the main victims of click fraud, but some criminals adapt the technique to target the device user as well. This can include falsely signing up to digital subscriptions, or making digital purchases charged to an airtime balance.
How it works
1.Fraudsters pay to use a botnet, a huge collection of devices hijacked by malware.
2.Fraudsters use the botnet to navigate to sites under their control and show ads from legitimate advertisers.
3.Fraudsters use the botnet to create millions of fake clicks on ads without the device owners knowing.
4.The ads are hosted on the fraudsters’ own pages, so they collect money from legitimate advertisers.
Click-jacking is where users tap on buttons/links which make sense and seem authentic but in reality they are clicking links that are hidden in invisible elements on a web page. Fraudsters have to stay one step ahead of browser and mobile operating system developers, finding new ways to hide the invisible elements without them being blocked or revealed. They also use carefully chosen wording and imagery to entice the user to click on a specific part of the page, for example showing what appears to be a link for a free offer or competition.
The fraudsters also use a sophisticated range of ways to take advantage of the click, such as sending users to an ad-laden site (and claiming revenue from the advertisers). They may redirect them to confusing web pages that entice or trick them into a digital subscription. Or they may simply use the invisible link to trigger a malware download.
How it works
1.Legitimate users tap or click on what they think is part of the visible page.
2.In fact the page includes invisible elements such as transparent ‘windows’ which include malicious links.
3.The browser thinks the user meant to click on the malicious link and or performs an action.
Mobile Device Hijacking
Fraudsters use intricate techniques to get malware onto phones. This can include disguising or encrypting code in apps so that they evade security checks before going into the official Google Play Store. Other techniques include having an innocent-looking app secretly download and install other apps that do the real damage.
The malware loads ads repeatedly, again so that the fraudsters falsely claim revenue from advertisers. Apps often hide their activity from the users, for example running as a background process that begins as the phone boots up. That means there’s no visible activity and the malware won’t usually show up in a list of running apps.
How it works
1.The user unintentionally downloads an app containing malware.
2.The malware hijacks the device and can even relentlessly loads ads without the user ever seeing them.
3.The malicious “publishers” claim revenue for the ad views while the user remains unaware unless they notice data use spikes or overheating batteries.
Mobile Device Emulation
Some ad fraudsters use server farms or non-mobile devices for ad fraud, meaning they can make even more bogus clicks while still posing as a mobile device user. This requires carefully crafted techniques that disguise the true nature of the device making the bogus ad click, often posing as a specific phone or tablet model and even reporting a specific fake screen size.
Mobile device emulation takes advantage of advertisers who’ll pay premium rates to advertise on mobile devices rather than desktop computers. That’s driven by stats showing mobile users spend more online per month than desktop users and are twice as likely to make big purchases over $250.
How it works
1.Fraudsters use traditional desktop computers and servers to carry out the bogus views and clicks.
2.Emulator tools give the impression the traffic is coming from mobile devices.
3.Because there’s no need to hijack real mobile devices, there’s no risk of being spotted by device owners. Fraudsters get paid for the events in premium ad rates.
IP Address Emulation
This is a technique used to make any form of mobile ad fraud more effective. It involves using various techniques to change the reported IP address making requests such as clicks and ad impressions. Rather than the hijacked device’s IP, the reported address can be far away and even in a different country. This could be used to make the supposed human user appear to be in a more lucrative market, but it’s also commonly done to avoid having too many of the fake clicks reported from the same IP address and raising suspicion.
Fraudsters use complex techniques to disguise the device’s identity such as going through multiple redirections before initiating the connection to the ad server to create a complex digital trail. In other cases, the fraudsters use Virtual Private Networks and similar tools to create a different IP address as the supposed source of each view or click.
How it works
1.Click farms in China generate bogus non-human traffic to a website thousands of miles way
2.A user’s hijacked phone in Brazil gets a high number of requests from an IP based in China. Fraudsters disguise the phone’s identity and location so advertisers cannot notice anything suspicious in activity logs.
3.Fraudsters get paid for the fake events such as ad clicks or views.
Fighting Back Against Fraud
Sophisticated scams demand sophisticated solutions and that’s why it’s never been so important to have dedicated mobile security solutions that address the specific risks faced by phone and tablet users and the mobile industry as a whole.