A story about how froder Igor tried to get a payout, but got a poppy seed.

Fraud(fraud) - in our case (arbitrage), this is a type of fraud in which an unscrupulous webmaster deceives an affiliate or online stores, which most often work according to the “payment by mail upon receipt” scheme. How it works, in the online store, the webmaster or his accomplice leaves a fraud request for the purchase of a particular product. The affiliate call center calls this lead (order), the attacker confirms his intention to buy by phone. The store sends the order, and the PP pays the lead (acquired client) to the webmaster. If the fraud is not disclosed, the bad webmaster receives the money, and the product remains without a ransom and eventually returns back to the store. Losses.

M1-shop affiliate fraud example

Our project is always on the side of the web. A few days ago, a post was posted to the public in which Igor accuses M1-Shop of not paying him money (16 thousand rubles for 26 applications) and banned him just like that, for no reason, although he is an honest web.

You can read the text of the message, there are more than 100 comments. In general, we get acquainted with the post and move on, you can not read all the comments, I will give the most key below.

Landing statistics from froder

I initially liked Igor's openness, he wrote that he was ready to provide full access to the statistics from Yandex Metrica, which was installed on the landing page where the traffic was going.

At the time of writing the post, access to the metric was still open, link.

According to Igor, he bought traffic in teasers.

I looked carefully at the statistics, the most interesting is below.

All leads were taken from a device with the same screen resolution.

Not a single lead was made from the external transition. Let me remind you that the author of the post claimed that these were teasers 🙄

Recordings of conversations from the affiliate call center

M1-shop provided me with call center recordings of all 26 orders. And what do you think? The client was the same person. Froder Igor deserves the title of the dumbest Froder of the year 😀

I have records of all 26 orders on hand. M1-shop was asked to post only the ones they personally listened to from start to finish. One recording takes approximately 15-20 minutes. I personally listened to all the records, they are the same person makes the same order, but in different ways.

Records of call center fraud orders https://disk.yandex.ru/d/QAlix2NJXFDuYA

Total

It is not clear what goals Igor was pursuing by posting this post in public, and then also giving statistics in the metric. Maybe he thought that he would be paid on the hype and apologize to him?

The title of "Frode of the Year" goes to Igor))

Internal fraud- fraud committed by employees due to their position and access to telecommunications equipment. The victims of such a fraud can be both the company itself, in which unscrupulous employees work, and customers.

In English-speaking countries, the word "fraud" means any fraud, in Russia the term fraud refers to a narrower category of crimes - fraud in the field of information technology. Hundreds and thousands of money rivers flow in this area - payment for calls, Internet traffic, online purchases and orders, mobile banking. And many have a desire to send a small trickle into their personal pocket through fraud.

In general, IT fraud can be divided into four broad categories:

• User, also referred to as subscriber fraud. It includes fraud on the part of users - illegal connection and non-payment for the services of telecom operators, calls at someone else's expense, forgery of bank cards and operations without the presence of a card.
• Operator fraud is all kinds of dubious actions of campaigns in relation to customers. These include automatic connection of paid services, the expensive cost of unsubscribing from them, cards with the possibility of reducing the balance to a minus, etc.
• Inter-operator fraud is an attempt by operators to deceive each other. Its varieties include all kinds of traffic redirection, presentation of expensive types of communication as cheap, etc.

Classification and methods of internal fraud

In turn, internal fraud can be divided into two broad categories - theft and abuse. In the first case, there is a direct theft of money or other material values, in the second, the extraction of material or non-material benefits is not associated with direct theft.

As already mentioned, a lot of money is constantly moving in the IT sphere - from a client to a bank or operator, between clients, between firms. And some employees find an opportunity to profit at the expense of the employer or clients.

For example, there may be cases of fictitious services, services at inflated prices or contracts with affiliated contractors. Fraudulent activities are also possible with the company's customers. This is especially true for mobile operators, where certain amounts are debited regularly, often several times a day, and if an employee adds a small payment to his own account, the client is unlikely to notice. And since there are tens and hundreds of thousands of such customers, the amount in the end is impressive.

In terms of abuse, information technology also presents a wide field for action. The scale here is the widest, from connecting friends to profitable intra-corporate tariffs and up to issuing millions of bills for fictitious, most often informational, i.e. intangible services.

Types of economic crimes: main areas of risk, what to look for

The overestimation of the results is also a big problem. Many fictitious customers can bring impressive real bonuses to an employee or department.

It is also worth noting the abuse associated with access to equipment. Unlike traditional industry, where financial scams are the preserve of management and accounting, in the information industry, technical specialists are also able to organize various fraudulent schemes due to the appropriate configuration of servers and other equipment. For example, exclude certain types of traffic from accounting, register expensive calls as cheap, and then connect individual numbers to them. It is very difficult to detect such crimes, even more difficult to prove, because a misconfiguration can always be explained by a mistake.

Finally, IT companies are subject to all the abuses that existed long before the dawn of the information age - hiring fictitious employees (usually friends and relatives of superiors), issuing inflated bonuses, writing off still working equipment for the purpose of further sale, using company vehicles and other property for private purposes.

Who suffers from internal fraud

Fraudsters can target equipment and software of the company, paper and electronic financial documents, higher and lower employees.

Servers, routers and other equipment are very vulnerable due to the dependence of their work on many settings performed by a narrow circle of specialists, in which everyone else, as a rule, does not understand at all. This gives engineers and programmers ample opportunity to redirect traffic, distort reports about it, and infect malware.

Persons with access to financial programs can either directly steal small, and therefore imperceptible amounts from the accounts of many clients, or issue false invoices, payments, inquiries about the return of allegedly erroneously transferred funds, etc.

Options for defrauding employees may include overestimation of indicators to receive high bonuses, fake requests for money transfers, blocking and unblocking accounts, extorting logins and passwords from colleagues of a higher access level.

Threat Source

In accordance with the objects of influence, three main sources of internal fraud in the IT sphere can be distinguished.

People with a criminal past are more likely to commit fraudulent activities. Therefore, any company must check the candidate before hiring, monitor his activities in the process of work, maintain a high corporate culture and implement effective motivation schemes, because decent and stable official earnings are more attractive than temporary, moreover, fraudulent schemes that threaten criminal prosecution.

It should be emphasized that special attention should be paid to working with people. Special risk categories should include people with a criminal record, system administrators and other employees with a high level of access, people who transfer funds. A separate category is made up of retiring employees, especially in the case of forced layoffs or dismissals for violations in work. Driven by resentment or as compensation, they may try to steal databases, misconfigure equipment, or infect computers with malware.

Internal fraud risk analysis

All companies in which you can profit at least something are vulnerable to internal fraud, these are banks, government agencies, Russian Railways, the oil and gas industry and others. Another problem is the complexity of the industry. Often, employees, especially newcomers, take a long time to master complex programs, while operations are performed in violation of strict norms. And any violation is a loophole for fraud.

A clear transparent structure with good internal controls leaves very few opportunities for fraudsters to scam.

In addition to the internal, regular external audits are also required, both in technology and in financial transactions, which make it possible to identify misconfiguration of servers and computers, dubious money transfers. The very possibility of disclosure of fraudulent schemes will force many to abandon their plans.

It is necessary to analyze the performance indicators of both an individual employee and entire departments. Sometimes their sharp increase is not a consequence of improved performance, but a fraudulent increase in order to obtain large bonuses.

Finally, the overall corporate culture is of great importance. In its absence, low labor discipline, everything often begins with small abuses, which are turned a blind eye. Impunity pushes a person to seek (and find) larger schemes in which the company and customers are already losing millions.

At the same time, a clear, transparent system, strict control, including an external independent audit, awareness of the inevitability of punishment will make the majority forget about fraudulent schemes in favor of honest earnings. To counteract internal fraud, DLP systems, employee profiling systems, and UEBA behavioral analysis are used.

He spoke about the types of mobile fraud and methods of dealing with them.

Everyone who works with ads in applications faces the problem of fraud. If you think that you are not colliding, you are colliding, you simply do not know about it. The article will help you learn to identify and distinguish 4 types of fraud that are relevant today.

By 2020, $250 billion will be spent on mobile app advertising.

The volume of fraud is only growing and is already approaching 16-17 billion dollars, which advertisers lose annually. To understand how to avoid fraud with such rapid growth, we will analyze the 4 most relevant types.

Install Hijacking

At Install Hijacking malware that resides on the device of the user installing the app detects the download of the app and tries to intercept the installation, which rightfully belongs to another source. The way to deal with this kind of fraud is to track the distribution of time from click to install.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

At the beginning of the chart, extremes are observed, where a huge number of installs occur in a short period of time, which does not correspond to human behavior. With the help of such tracking, we evaluate and filter out this kind of behavior.

Click Flood

Click Flood - malware intercepts organic installs by flooding the tracking system with a large number of clicks. Apps with good organic traffic are more prone to this type of scam.

To understand the method of dealing with Click Flood, let's pay attention to the following set of KPIs.

1. CTIT - time distribution from click to install.
2. Conversion rate.
3. Involvement.
4. Multichannel index.

Consider several traffic sources and how they behave based on the KPIs in the table below. There is a source "A" and a source "B". We evaluate them according to the 4th KPI.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

CTIT. The normal distribution of clicks per install takes about 40 seconds, about 70% of installs are made in the first hour and 95% in the first 24 hours. Accordingly, we monitor this indicator.

Conversion rate. Obviously, with a large number of clicks, the conversion is small. Abnormally low values ​​or those that are lower than expected are checked for fraud.

Involvement. When installing from an organic source, engagement stays at the organic level. This results in a user who behaves well and cool: pays, reaches some levels, and so on. The level is determined individually: your own understanding of loyal users is configured.

Multi-channel index- the ratio of the number of auxiliary clicks of the first source to the number of last clicks. Tracking platforms track last-click attribution. This means that if an app install had several clicks on an ad, then the last one is considered to be a converting one - it is the one that gets credit for the install. With Click Flood, the fraudster sends a huge amount of clicks that clog the conversion funnel and sometimes fall into the latter, so tracking the multichannel attribution funnel is extremely important.

Let's look at an example of AppsFlyer's multi-channel attribution report:

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

To describe the technique, an event is taken - an installation. Show 3 previous clicks and how they relate to each other. For each install to this traffic source, the funnel for multi-channel attribution is clogged by the same source or a specific publisher. This raises questions and leads to some reflections. In a normal situation, there will not be a clear pattern in the distribution of auxiliary installations throughout the funnel. If there is a suspicion of Click Flood, then the difference between these settings is either the same, or it is very close to the installation time - just a few seconds. Accordingly, it was a burst of clicks, some of which hit the target, while all are close to each other.

click hijacking

Another type of fraud to combat which uses the multi-channel index and multi-channel attribution is Click Hijacking. The mechanics are similar to Install Hijacking, but here the malicious application detects a real click and sends a fake click report from a competing network, thus intercepting the click and the installation itself.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

On the chart above, you can see how the time is distributed from the penultimate to the last click. The model from Appsflyer has the last click that converts, and the first contributor is the previous click in the funnel. Accordingly, a pattern is visible in multi-channel attribution: the penultimate click is unnaturally close to the last one. You can immediately cut off such a jump and work with this data with suspicion of Click Hijacking.

Install Fraud

The last type of fraud on the list is associated with installations - Installs Fraud. Modeling all sorts of distributions is great, but it's always necessary to have multiple layers of protection. To test any hypotheses, you need to have information from different sources. AppsFlyer decided to use their own data in order to fight this type of fraud.

The project lasted about six months. All devices were taken from the database. At the moment, the Appsflyer database unites about 98% of all devices that are in circulation. The goal of the project was to understand what account each such ID has in the system, in terms of an anti-fraud solution. Scoring based on 1.4 trillion mobile interactions

Using big data processing algorithms, each mobile device was assigned a certain rating. The rating scale is similar to the rating of securities: fraudulent devices are rated "C", suspicious ones are "B", real ones - "A", "AA" or "AAA", new ones - "N", LAT (Limit Ad Tracking) - "X" ".

After scoring, the question remained what to do with new devices.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

With the help of aggregated data, it became clear that according to some traffic sources, an abnormally large number of new devices come in, which turned out to be not the latest Samsung or iPhone models, but old devices from 2012-2013 with outdated software versions. This indicates device emulation followed by a reset of the advertising ID. In this case, the dummy device performs the necessary actions on the advertising offer, after which it resets idfa / gaid and starts a new circle of installations. An effective method for catching emulated devices is to use large databases like AppsFlyer. Analyzing 98% of the devices in circulation, each new device is a kind of flag that makes one think that the grid cannot give 100% of new users. There is a standard circulation of new devices in nature - about 5-10%, but definitely not 100% or even 50%.

If you filter by campaigns, you can see that some companies offer more new devices, while others offer less.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

Having put a breakdown by sub-publishers, it is clear that they are the same. This means that there is one or more suspicious sub-publishers that mix fake traffic into different campaigns, into different traffic sources. Thus, by tracking the activity, you can catch the fraudster.

Fraud is a disease, but there is a cure for it

Fraud is a mobile app advertising disease, but many vaccines have already been developed for it. Using the solutions described in the article, you will be able to detect the 4 most popular types of mobile fraud. Do not skimp on the fight against fraud, learn to see it. Constantly look for solutions and contact qualified companies to help you with this.

If you find a typo - highlight it and press Ctrl + Enter! To contact us, you can use .

1) Unrealistically short time between clicks and targeted actions

Standard Internet connection speed allows you to download the application in 30 seconds. At the same time, installations from one channel can take place in 2-10 seconds. Such traffic can be considered fraudulent.

2) Obviously patterned user behavior after clicking on an ad

Real users spend different amounts of time deciding whether to download an app and browsing internal pages. They will have different internet connection speeds and different purposes for accessing the app/website.

A channel that consistently shows the same sequence of user actions or equal intervals between clicks is most likely to bring fraud.

3) Different geo clicks and installs for the same user

Any device connected to the Internet has an IP address. It contains information about the region you are in. If the user is using the mobile internet, the IP address comes from the mobile provider. If the user connects to the Internet via Wi-Fi, the IP comes from the point of connection to the Internet.

Clicking in one region and downloading an application in another is almost impossible.

4) Abnormally many clicks from one IP/ID

This is the first sign that you are receiving traffic from a bot farm. Although such indicators may indicate the work of real people. For example, if scammers reset the advertising identifiers of the devices from which they scam and re-perform installations and targeted actions.

5) Too little or too much conversion from click to install

If the conversion from clicks to installs is below 0.3% with a large traffic flow, most likely fraudsters are clicking on ads.

A conversion above 30% is also a sign of fraud. Such values ​​are real for search campaigns. In other cases, there is a high probability that the installations are fake. The same goes for unrealistically high or negligible CTRs and

eCPM. If their values ​​for a particular channel are too different from the average, you can write the source to the fraud list.

6) Suspicious activity at night

Usually users within the same geo are more active in the morning, afternoon or evening. And programs that generate fraud can work 24 hours a day. Many clicks and installs at night, close in number to organic indicators at other times of the day, are suspicious. A source with such traffic needs additional checks.

Typically, most real installs happen within the first hour after a click. By the second hour, the number of installs drops sharply. In fraudulent campaigns, due to the specifics of how programs work, the install curve is much more even.

8) No base events

If you're tracking a hello screen or app opening, and you don't see these actions happening after installation, you've most likely encountered a scam.

Fraudsters can imitate a report on the completion of a targeted action in the analytics system. Then you will see a report about the installation and the necessary in-app activity, while the steps required for real users will be skipped.

The extremely low Retention Rate and deletion of the app immediately after installation indicate motivated traffic: scammers download the app and immediately delete it. A rare but possible case: a real user downloaded the app, but didn't want to/forgot to use it.

Fraud types

SDK spoofing

SDK spoofing is a type of fraud in which fraudsters control the transmission of messages between the application's SDK and the server receiving the information.

The original messages are changed to more profitable ones for the advertiser. For example, a report on the display of a banner - for a signal about an application download. So you see new installs that didn't really exist.

click spam

A type of spam in which scammers insert banners so that users do not see them and click on them without knowing it. For example, you click on the play button on a free online movie theater site and you are taken to a third-party site. Or you play a game inside the app and each tap on the screen counts as a click on banners that you don't even see. These clicks count as ad clicks.

Signs that you have been the victim of this type of fraud include:

• organic installs plummeted;
• paid users behave the same way as those who came after organic installs.

Click Injection

In some classifications, it stands out as a subtype of click spam. The user installs an application with malicious code. Usually these are copies-fakes of popular applications or applications of the “tools” category. Fraud source label is assigned to the infected device.

When a user (even after a long time after the implementation of the code) downloads the desired application, the install will be counted as coming from a click on an ad, because it will be labeled accordingly in analytics.

Only smartphones with the Android operating system can suffer from this type of fraud.

Typically, this type of attack is indicated by a very short (>2 seconds) time between click and install.

Bot traffic

Fraudsters create farms where they collect a large number of smartphones. The devices are connected to a program that imitates the actions of real users on them: clicking on ads, installing an application, watching videos, etc. There is another option for organizing a farm: instead of a lot of devices, a program is used that creates virtual copies of devices with constantly updated IDs. The program still simulates the actions of real users, but on the server.

In order not to be detected, scammers change IP addresses, drive traffic through TOR or VPN.

Most likely your installations are fake:

• if they are immediately followed by the removal of the application;
• if there are many clicks/installs from the same IP address in the analytics.

Motivated traffic

There are special sites where users are paid for performing certain actions: clicks, installs, in-app actions, etc. Such traffic is called motivated because users perform targeted actions for a certain reward. This is usually real small money or in-game currency. On average, up to 200 rubles per target action.

Sometimes users are prompted to take actions offline. For example, a motivated user can leave a request to view an apartment in a new building and even go for a viewing.

Traffic is most likely motivated if:

• the retention rate from one channel is consistently low;
• users delete the application immediately after downloading or download and do not log in;
• users who download applications for a reward are often sent scripts for activity in the application. Download, click on certain buttons, delete after three days. Therefore, in analytics, there can be many, many installations with the same behavior model.

How to protect yourself from fraud

1) Update your SDKs

In new versions, protection systems against fraudulent traffic are also updated.

2) Discuss risks with contractors

At the beginning of work, discuss with your contractors how payment will be made and further work if you detect fraud. Write in the contract what you will do in such cases. For example, you can specify which traffic, based on indicators in analytics, will be considered fraud and will not be paid.

3) Remove contractors with fraudulent traffic

If you or your anti-fraud system has detected fraudulent traffic that comes from one of the contractors in a large volume, apply penalties to this company. If this happens repeatedly, then it is easier to disable the channel that supplies low-quality traffic.

4) Don't target suspicious OS versions

Do not target ads to devices with outdated or unreleased operating systems. As a rule, bot farms buy old smartphones that only support older OS versions. So you cut off a small percentage of real users, but avoid froder attacks.

5) Follow the analytics

Analysis of conversions by IP, device-info, time between click and conversion, user life after installing the application, conversions through VPN or proxy can let you know about fraud.

6) Use services with built-in antifraud

Mobile trackers and analytics systems have their own anti-fraud solutions: Adjust, Appsflyer, Fraudlogix

All these programs cost money. To evaluate the feasibility of investing in an anti-fraud solution, you can test the trial version. If during the trial period the system detects fraudulent traffic for an amount covering its cost, then it is worth renewing the subscription.

CPI networks are associated with a large number of small traffic providers, which makes them a favorable area for scammers. And it is also an important and large channel. The budgets allocated for it are decent, which means that the losses from fraud can be sensitive.

When a fraud is detected from the CPI network, you need to look at the sub-sources and disable those from which the fraud comes. If the total amount of fraud from the grid does not fall below 10%, despite the constant work on disabling suspicious sub-sources, you can try to figure out the reason. Perhaps transfer the budget to a more trustworthy source.

The anti-fraud tool saves a lot of time, replacing the need for manual processing of large amounts of data. Serves as a mediator, giving his guarantees, in disputable situations with partners. And, of course, it saves the budget by helping to weed out fraud.

I tested several large services and did not find any noticeable advantages over others in any of them. A more effective way out, in my opinion, can only be the development of an internal solution.

Stanislav Izmailov, BlaBlaCar Marketing Manager