Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Ad fraudsters use user agent spoofing, a technique to hide their actions on websites and apps. It is also called browser/UA spoofing.
While this technology has some good uses, such as testing apps, websites and software, it is also often used for click fraud and other forms of fraud.
To find out how spoofing affects advertising campaigns, read this article.
Contents
1. What is User Agent?
2. What is User Agent Spoofing
3. Help with testing
4. Advertising fraud
4.1 Device obfuscation
4.2. Fake impressions
4.3. Geo-Clicks
5. Domain spoofing vs. UA spoofing
6. How to fight fraud
6.1. 1. Picasso by Google
6.2. 2. Comparison of marketing performance indicators with sales indicators
6.3. 3. Checking for abnormal traffic patterns
6.4. 4. Verification of marketing partners
Based on the user's User Agent, the site sees in what form the content should be displayed: for a PC or for a mobile device, an old or new version of the browser, etc.
For example, a large volume of traffic from one device when the agent is replaced looks like transitions from different devices - different advertising interactions.
The technology is also used for fraudulent targeted advertising campaigns.
For example, fraudsters generate traffic from a PC, but the advertiser sees alleged user transitions from a mobile device running the Android OS.
In addition to web developers, marketers also use spoofing. In this way, they check the correctness of displaying media advertising in different browsers. Based on the results, they decide whether it will be necessary to make adjustments to images and inscriptions or not.
As you can see, this is a useful technology if used for good. However, not all is well - scammers also actively use it.
The trick is that every time a user visits the site, their browser sends a fake user agent string, making them appear to be a unique visitor.
How it's done:
This form of device obfuscation allows the fraudster to click on ads or place display ads without being detected by advertising platforms.
For example, if you purchase programmatic advertising or buy impressions in YAN/KMS, it is preferable to set up protection against domain spoofing. This means that you will need:
If you are running an affiliate advertising campaign, you should be careful with device spoofing. Fraudsters will use User Agent substitution to generate fake leads and clicks. Spoofing will make them harder to detect, so they can claim inflated affiliate payments.
A clever scammer can drain your advertising budget on a regular basis over months or even years using device spoofing.
For example, Picasso can distinguish genuine traffic from iOS Safari on an iPhone from traffic sent by an emulator or desktop client spoofing the same configuration.
For example, an advertiser has a typical lead conversion rate of 33%. There are (assumed to be) 10,000 clicks through advertising channels. Thus, he expects to receive ~3,300 new leads.
However, if an advertiser encounters large-scale click fraud and fake lead generation via User Agent spoofing or other ad fraud methods, the conversion rate will plummet. Instead of the hypothetical 3,300 new customers for every 10,000 clicks, the advertiser will only get 300 — the conversion rate will drop from 33% to 3%.
An awkward situation with the loss of budget to nowhere, or rather, to the pockets of scammers. A quick check and comparison of indicators should reveal a drop in conversion.
For example, an advertiser usually has a small number of clicks on an ad, and none at night. However, in the morning he notices a sudden surge of traffic of a thousand clicks from an advertising campaign at three o'clock in the morning. Of course, there is no need to even doubt this - this is a clear sign of fraud.
Or, for example, another situation - a systematic increase in traffic at night until the advertising budget is completely spent. Even if the analytics system shows that the transitions were made from different devices, browsers and OS, such a strange time of mass clicks may indicate clicking on advertising.
A fraudster may use spoofing to imitate various devices, while in fact carrying out an attack through bots from infected devices or click farms.
Being able to detect these fraudsters early and prevent them from participating in affiliate campaigns is an important part of combating fraud. After all, a malicious affiliate won’t be able to use device spoofing technology to click away ads if they are preemptively blocked for deceiving other advertisers.
When evaluating a partner, be sure to pay attention to the following signs:
While this technology has some good uses, such as testing apps, websites and software, it is also often used for click fraud and other forms of fraud.
To find out how spoofing affects advertising campaigns, read this article.
Contents
1. What is User Agent?
2. What is User Agent Spoofing
3. Help with testing
4. Advertising fraud
4.1 Device obfuscation
4.2. Fake impressions
4.3. Geo-Clicks
5. Domain spoofing vs. UA spoofing
6. How to fight fraud
6.1. 1. Picasso by Google
6.2. 2. Comparison of marketing performance indicators with sales indicators
6.3. 3. Checking for abnormal traffic patterns
6.4. 4. Verification of marketing partners
What is User Agent?
User Agent, also UA, is a user agent identification string that contains a piece of code in the browser that is specific to the site being visited. The string contains information about the browser, software version, device operating system, etc.Based on the user's User Agent, the site sees in what form the content should be displayed: for a PC or for a mobile device, an old or new version of the browser, etc.
What is User Agent Spoofing
User Agent spoofing is a fraudulent technique in which attackers change elements of the user agent string to hide details of their traffic.For example, a large volume of traffic from one device when the agent is replaced looks like transitions from different devices - different advertising interactions.
The technology is also used for fraudulent targeted advertising campaigns.
For example, fraudsters generate traffic from a PC, but the advertiser sees alleged user transitions from a mobile device running the Android OS.
Help with testing
Setting the User Agent string helps web developers check the compatibility of sites on different devices and in different browsers. For this purpose, Google Chrome has a special extension that allows you to quickly change the UA.In addition to web developers, marketers also use spoofing. In this way, they check the correctness of displaying media advertising in different browsers. Based on the results, they decide whether it will be necessary to make adjustments to images and inscriptions or not.
As you can see, this is a useful technology if used for good. However, not all is well - scammers also actively use it.
Advertising fraud
Attackers often use browser spoofing because it is more effective than a simple VPN or proxy. The most obvious way to spoof the User Agent string for ad fraud is to pass off a hidden or configured browser as the real one.The trick is that every time a user visits the site, their browser sends a fake user agent string, making them appear to be a unique visitor.
How it's done:
- A user (bot or human) enables an extension or other script to spoof the User Agent in their browser.
- Clicks on an advertisement (via a link in an advertisement) to go to the website.
- Then he clicks the ad again, but this time the data in the agent line changes automatically. Now for the advertised site, this is a new user.
This form of device obfuscation allows the fraudster to click on ads or place display ads without being detected by advertising platforms.
Device obfuscation
Bot farms and click farms usually operate either from server centers or from smartphones united into a single network. Often, attackers are territorially located in the Central Asian zone, China, and the Philippines. By changing the user agent, the botnet or farm operator can specify a completely different region, for example, California.Fake impressions
The methods of blocking invalid traffic that Google and Yandex use can be bypassed by changing the User Agent string. Thus, a click farm or other source of fake generation can use this trick to pose as "real" traffic.Geoclicks
By spoofing the browser, fraudsters change geographic settings: device language, time zone, and other location data. This allows them to offer advertisers traffic from a selected region or country. Of course, such transitions will not be organic.Domain spoofing vs UA spoofing
When comparing the two, what should you be most wary of? Ideally, it is important to protect yourself from both types of spoofing. The type of spoofing you should be wary of depends on what kind of online advertising campaigns you are running.For example, if you purchase programmatic advertising or buy impressions in YAN/KMS, it is preferable to set up protection against domain spoofing. This means that you will need:
- study the webmasters and publishers from whom you buy advertising - check their reputation and rating;
- use third-party software to check website URLs for substituted Unicode characters;
- Check the terms of your ad placement for low or unrealistic rates. For example, extremely low CPMs or below-average click-through rates for ads placed on “high-traffic” domains.
If you are running an affiliate advertising campaign, you should be careful with device spoofing. Fraudsters will use User Agent substitution to generate fake leads and clicks. Spoofing will make them harder to detect, so they can claim inflated affiliate payments.
A clever scammer can drain your advertising budget on a regular basis over months or even years using device spoofing.
How to fight fraud
With the right tools, device spoofing can be detected and stopped. Methods to detect scammers and block invalid transitions may include:1. Picasso by Google
How to detect those who do not want to be detected? The Google team has developed one interesting technology to combat spoofing. The tool is codenamed Picasso. It works on the following assumption: each device has unique features. The fingerprinting scheme is based on the unpredictable but stable “noise” that the user’s browser, operating system, and graphics stack create when rendering HTML5.For example, Picasso can distinguish genuine traffic from iOS Safari on an iPhone from traffic sent by an emulator or desktop client spoofing the same configuration.
2. Comparison of marketing performance indicators with sales indicators
An advertiser's expectation of potential leads in accordance with a configured sales funnel can be shattered by reality in the form of click fraud.For example, an advertiser has a typical lead conversion rate of 33%. There are (assumed to be) 10,000 clicks through advertising channels. Thus, he expects to receive ~3,300 new leads.
However, if an advertiser encounters large-scale click fraud and fake lead generation via User Agent spoofing or other ad fraud methods, the conversion rate will plummet. Instead of the hypothetical 3,300 new customers for every 10,000 clicks, the advertiser will only get 300 — the conversion rate will drop from 33% to 3%.
An awkward situation with the loss of budget to nowhere, or rather, to the pockets of scammers. A quick check and comparison of indicators should reveal a drop in conversion.
3. Checking for abnormal traffic patterns
An abnormal surge in traffic from fake devices is another sign of a targeted bot attack by ad scammers.For example, an advertiser usually has a small number of clicks on an ad, and none at night. However, in the morning he notices a sudden surge of traffic of a thousand clicks from an advertising campaign at three o'clock in the morning. Of course, there is no need to even doubt this - this is a clear sign of fraud.
Or, for example, another situation - a systematic increase in traffic at night until the advertising budget is completely spent. Even if the analytics system shows that the transitions were made from different devices, browsers and OS, such a strange time of mass clicks may indicate clicking on advertising.
A fraudster may use spoofing to imitate various devices, while in fact carrying out an attack through bots from infected devices or click farms.
4. Verification of marketing partners
There are countless scammers who create fake accounts to defraud companies with affiliate marketing and referral programs. They use bots to generate traffic and artificially inflate their numbers.Being able to detect these fraudsters early and prevent them from participating in affiliate campaigns is an important part of combating fraud. After all, a malicious affiliate won’t be able to use device spoofing technology to click away ads if they are preemptively blocked for deceiving other advertisers.
When evaluating a partner, be sure to pay attention to the following signs:
- abnormally large number of subscribers with little content history;
- extremely low content engagement rates;
- low quality engagement with content (e.g. non-unique or abstract comments);
- fake subscriber accounts.
