The phantom (click) menace: Discovering a new fraud scenario
Fraud methods, techniques, and technology are constantly evolving and changing. Fraudsters continue to test anti-fraud solutions in creative ways in an effort to gain the occasional upper hand and maybe some of your marketing budgets.
AppsFlyer recently came across one of these cases. But it wasn’t a new fraud method, as much as it was a new fraud origin.
Whose click is it anyway?
In early 2021, our team started noticing a trend with some of AppsFlyer’s media partners. Ad networks claimed that they were being associated with clicks that in-fact had not originated from their network.
Some valid reasons for this could be technical issues or even the lack of awareness from user acquisition managers. As we delved deeper we noticed it was more than a trend but rather a pattern, and here began our investigation.
Instances of click flooding fraud were initially flagged through Protect360, AppsFlyer’s anti-fraud solution, for associated ad networks. It was important for us to keep open communication with our media partners and when we approached these networks presenting them with their disproportionate click volume we continued to receive the same answer. They all communicated that they were sure that the clicks in question were never delivered from their traffic, despite that their names were associated with clicks in question.
The response itself wasn’t surprising, as many ad networks often try to distance themselves from claims of fraudulent activity. However the pattern’s scale and similar characteristics across the different identified instances made it difficult to disregard.
It looked like there was indeed an additional party reporting these clicks on behalf of these networks.
So, who was responsible for these clicks, and why?
What would be the motivation for sending clicks on behalf of another ad network? Could it have been an attempt to tarnish a legitimate network’s reputation? Perhaps an attempt to damage an ad network’s relationships with certain advertisers?
All these options were considered, but the real answer surprised even us…
We approached additional ad networks who presented similar click flooding characteristics that fit the emerging trend.
Our suspicions were validated, as these networks also claimed to have no hand in generating the millions of clicks in question presented on AppsFlyer’s reports.
The only way to shed light on this situation was by implementing a new click signature mechanism AppsFlyer had recently developed.
We recommended the impacted ad networks to implement this feature, which enables AppsFlyer’s media partners to create an encrypted key and unique signature for all of their clicks. Click signatures are key when trying to distinguish between alleged fake clicks and valid ones provided by the partner.
After thorough analysis we identified all clicks that did not contain the valid signature, uncovering a surprising element to our investigation. All of these mysterious clicks were coming from ONE specific agency account, an agency that none of the media partners were working with, nor were they familiar with them in any way.
We reached out to other networks that appeared to have a working relationship with this mysterious agency. All of which replied with the same answer (which came as no surprise), “We’ve never heard of this agency.” And thus a new fraud scenario was unearthed.
How did this new fraud scenario come to play ?
Our investigation showed the following modus operandi:
The agency used various ad network integrations, of which a large majority contained very little activity. This increased the chances that their activity could fly “under the radar” and outside each ad networks’ scope. Furthermore, this also increased the chances that no ad network would approach the agency with inquiries about the traffic (or their cut of revenue).
In an act of splitting this activity across hundreds of ad networks and generating clicks on their behalf, it amounted to a very high volume of traffic. This enabled the agency to steal attribution credit from organic installs, as often seen in standard click flooding fraud scenarios.
Splitting click flooding actions across various sources is not a new fraud methodology, but having an agency perform this act through the ad network integrations was definitely surprising.
This type of abuse from fraudsters can result in both reputational and operational damages to our media partners.
For example: 10M clicks were sent on behalf of the ad network, generating 1,000 installs (CR of 0.01%) while in fact they were only actually sending 100K clicks (an actual CR of 1%).
The difference between these scenarios can not only harm the network’s reputation, but in some cases can also be considered as fraud or DDOS attack.
AppsFlyer is taking action, you should too
AppsFlyer’s Partner Development team’s most important job is maintaining a strong relationship with our media partners, and allowing us to attain precious feedback from all partners impacted.
After valid confirmation that this agency in question’s activity was in fact fraudulent we immediately shut down all of its integrations and terminated their relationship with AppsFlyer.
This case yet again emphasized the importance of protecting our media partners, their data, and their clicks.
While it may be tempting to point a finger of blame towards ad networks in fraud cases such as these, it is important to remember that they too are victims.
Keeping an unbiased and open mindset was key to identifying the actual fraudulent source and uncovering a new fraud scenario. The case stated above helped us improve our fraud detection algorithms, and Protect360 is now a better anti-fraud solution thanks to our team’s vigilance and quick response.
But it’s always better to be safe than sorry, AppsFlyer’s click signature mechanism is available for all integrated media partners, which is easy to implement and free of charge.
You can learn more about it here, or feel free to contact your Partner Development Manager or Integration Team for further support.