The new ad fraudsters: how today’s sophisticated ad fraud criminals steal marketing dollars

By John Koetsier November 27, 2019

Mobile marketers know that ad fraudsters are legion and that ad fraud is a multi-billion dollar problem. You’ve probably also heard that Singular has a deterministic fraud solution that is saving existing clients hundreds of thousands of dollars monthly.

But what is Singular saving clients from?

And what are the ad fraudsters doing now?

Ad fraud is continuously evolving in an ongoing arms race against fraud detection and marketer flight to quality traffic. Knowing which ad impressions are real — and which are fake clicks; detecting fraudulent activity and doing it all in a real-time bidding environment … it’s not easy. That’s something that our anti-fraud department takes very seriously, studying bad actors’ latest techniques to ensure that Singular clients get the advertising they pay for.

I spent some time with the head of Singular’s ad fraud detection team to understand what’s new in mobile ad fraud. And also, therefore, what’s working — and not working anymore — in ad fraud detection.

Ad fraudsters: new tactics

John Koetsier: There’s the common list of things ad fraudsters do that we see all the time … but what’s new?

Yonatan Komornik: Well, it’s interesting, because you’re seeing a wide spectrum of app install fraud. Many of the old, easier techniques are still around, but there’s also some brand-new higher-tech variations.

There’s physical device farms, which are very low-tech, and software-emulated devices in server farms, which are obviously bit higher tech. There are bots to provide traffic, and SDK spoofing, which requires a little more technical know-how, plus click injection and click spamming.

There’s also auto-clicking … sending a click for an impression that’s presented to a user — which might not even be a real user. You could have both a fake user and a fake click.

Ad fraudsters are still doing all these things, and maybe it’s old news. But they’re also doing them in new ways.

Click injection, for instance, is still around. But fraudsters are now using different technology to detect when an app is being installed. Two years ago they could rely on getting an app broadcast when an app finished installing. Now, they’ve found ways to detect when an app starts downloading.

John Koetsier: So CTIT (click to install time) is not very useful anymore — at least for higher-tech fraudsters?

Yonatan Komornik: Exactly.

And click spamming is still happening too, but sophisticated criminals are finding ways to detect which users are more likely to engage … so they’re not just click spamming everyone everywhere. It’s targeted.

You could do it by grabbing a lot of device IDs, then faking clicks once a week from those devices. But that’s fairly easy to find — they can get caught easily. So now they’re matching the IP address from which the click is being sent to an IP address that the device is likely to be close to … they’re choosing their originating IP address.

And they’re using machine learning to build models that predict which users are more likely to download an app or convert on an offer. Plus, if an app is regional, the smarter fraudsters are only targeting IP addresses in that region.

John Koetsier: Interesting. They’re following legitimate ad networks in learning which users to target …

Yonatan Komornik: And getting pretty good at it.

A newer technique, and one which is growing significantly, is SDK spoofing. Ad fraudsters are figuring out how to bypass existing ways to spot SDK spoofing. You can also see via the retention curve that now they’re faking retention: they’re spoofing additional sessions, and are ensuing that it matches a normal retention curve of an app in that vertical and location.

They will go to great lengths to make their KPIs seem normal … they’ll send post-install events, and try to spoof revenue.

Interestingly, when there’s a lot of SDK spoofing from some of the paid channels, you also see a ton of fake organics. My best guess: fraudsters are doing that on purpose to make their KPIs seem less suspicious. If they create a bunch of fake users, we see a sharp increase in organic installs.

Essentially, they’re offsetting it by creating more organic users. Then they can hide the uptick in paid installs in a flood of new “organic” users. That leads to additional problems, of course. Now they’re shifting the visible KPIs of organic users, so that when you try to find anomalies in paid acquisition by benchmarking to organics … you can’t.

John Koetsier: Most fraud detection is statistical. What’s the problem with that?

Yonatan Komornik: If I’m a ad fraudster, I want to avoid statistical detection. So I just create a new publisher ID every couple of hours. I can’t be tracked to any of them.

Then I drive five installs from each publisher … now statistical detection methods can’t find them, because they don’t have  enough data. Signing up for most ad networks or ad exchanges is easy: there’s no verification, and they pay you right away. Some networks are more careful … they will not pay publishers right away and will benchmark them for bot traffic, domain spoofing, ad viewability, brand safety, and so on.

But affiliate networks: they just take anyone.

Or, they’re mixing traffic. They’re driving fraudulent traffic and mixing it with authentic traffic. 100% fake installs is easy to detect, but if I drive 50% fake traffic and 50% real … it would just seem like my results or KPIs are low. But I don’t look super-fraudulent. Even if an app marketer is seeing 50% less retention, it’s pretty hard to say it’s fraud right away.

Also, this is generally very cheap traffic.

Some ad networks do this too. If you’re not ethical, and you need better profit margins … you can drive 10-20% fake traffic and boom, profits are up. A lot of people in the industry are trying to drive prices down, and when that happens … you can’t be too careful.

John Koetsier: How sophisticated are today’s fraudsters? Do they operate just like a regular software development team, with JIRA and other tools?

Yonatan Komornik: It depends. There are some small players, two-person teams, that probably don’t.

But there are definitely bigger players. That requires scale and teamwork … even multiple teams. Some of these are very geo-driven: they know their target market, they’re very familiar with a region, the networks, the people, and with the types of local users. So they’re able to target their attacks very effectively.

John Koetsier: One last question — if you’re a black-hat ad fraud engineer, how do you collect a lot of device IDs to target?

Yonatan Komornik: The easiest way: via real apps that collect this data. You install my flashlight app, and I can collect your usage pattern. I can also request a lot of permissions on my utility app.

Then, when I try to monetize my app, I might implement an SDK that pays me for some of this data, and then they engage in fraud. They’ll probably pay on a per-user basis, and they’re probably not very upfront about what they’re doing. Or it could even be an SDK that does something good and necessary … but also has data collection.

In addition, ad networks have tons of data. If they decide to go fraudulent, it’s pretty easy to do that, and then “boost” their click-through rates and ad spend.. You can also collect device IDs via RTB (real-time bidding) exchanges … just by starting to bid on impressions.

John Koetsier: Thank you for your time!

Next steps

Get a demo of Singular’s DETERMINISTIC anti-fraud solution, as well as our overall optimization, ad spend, and attribution tools.

And, pick up a free copy of Singular’s report: The Death of App Install Fraud.

Stay up to date on the latest happenings in digital marketing

Simply send us your email and you’re in! We promise not to spam you.