Mobile Fraud: It’s Time To Start Paying Attention

mobilefraudThere’s something fishy going on in China.

According to mobile attribution company Apsalar, for every valid in-app purchase (IAP) made in China, there are 273 fraudulent ones.

But China isn’t the only place with IAP problems. Taiwan sees 54 fake in-app purchases for every valid one, while Saudi Arabia clocks in at 24.6 and Israel and Hong Kong tie for 18. The digital goods were sold, but payment was never received, a fact Apsalar verified with both Google and Apple.

IAP is just one of the new ways fraudsters are looking to game the mobile system.

As Forrester analyst Susan Bidel noted in a recent report titled "Fraud and Fat Fingers Distort the Mobile Advertising Landscape," “Fraudsters not only apply techniques tested and proven in desktop advertising to the mobile web, but also fashion new strategies specifically to target the mobile app environment.”

Over the past year, online click fraud and bot-generated traffic have become obsessive topics in the ad industry, but mobile hasn’t factored too deeply into that conversation, and there’s a reason for that – dollar bills.

In the words of White Ops CEO and co-founder Michael Tiffany, “Bad guys follow the money.” As long as mobile ad spend remained nascent, fraudsters didn’t appear all that motivated to diversify from their desktop cash cow.

That’s changing. According to recent research from eMarketer, mobile ad spend is on track to reach $28.72 billion this year, accounting for 49% of all digital ad spending, a number forecast to hit $65.87 billion by 2019.

Timur Yarnall, SVP of corporate development at comScore, did not mince words: “Any suggestion that mobile fraud is not an issue today is laughable.”

Video CPMs might still beat mobile CPMs, said Yarnall, who co-founded MdotLabs, the cybersecurity startup comScore acquired in August, “but the money in mobile is there and it’s growing fast, which means people need to monitor it just as aggressively as they’re monitoring desktop fraud now.”

Out Of Place

The fraudster’s bag of tricks runneth over. Bidel’s report cited bad traffic, domain laundering, in-app ad stacking, phantom apps – when a user clicks to download an app, only to find that the app doesn’t exist but the click was recorded – mobile emulators and shady redirects as issues already plaguing the mobile ecosystem.

But mobile location data spoofing is a particularly prime example.

“Location is increasingly important on the mobile side for targeting and offline attribution purposes,” said Michael Tuminello, director of product at video platform Innovid. “But mobile location data is frequently inaccurate due to the lack of standards and a complicated ecosystem.”

Adding GPS coordinates to a bid request ups the price, and in some cases it’s legitimate, but a lot of the lat/long information available on the open exchange is coming from players who have no business providing it.

Location spoofing isn’t black and white, however, said Alec Greenberg, VP of media operations at Dstillery.

For example, when an app asks a user to share his or her location and that user declines, the app still gets some sort of data – albeit general information like, ‘This person is in Brooklyn" – relayed from a local cell tower. Broad data like that is far less useful in terms of driving foot traffic than precise lat/long data – it's also not opt-in, considering in that case that the user had declined to share location data – but Greenberg isn't convinced the players purveying it are necessarily always malicious rather than just opportunistic.

But the end result is the same and Dstillery isn’t taking any chances.

“We throw out 50% to 70% of all the GPS coordinates we see every day because they’re questionable,” Greenberg said. “That’s a huge percentage.”

Dirty Tricks

Much of mobile fraud detection is about patterns. Take “mean time to install” (MTTI), a term coined by mobile analytics company Kochava to describe the average time it takes between when a user clicks to download an app and when that user launches it for the first time. A dating app generally has a low MTTI, sometimes just a few hours, whereas a finance app can have an MTTI of seven days or more.

If a large percentage of users coming from a certain subset of publishers within a specific ad network open a finance app within an hour, that’s a clear indication that something isn’t kosher.

“There is a correlation between MTTI and the lookback window that an advertiser sets up to give credit to the network that drove the install,” said Kochava CEO Charles Manning. “That’s why it’s important to establish a baseline MTTI so you can understand what a high-value user does and what their true intent is.”

Apsalar noticed something similar when it examined the relationship between app-related clicks and conversions by geo. A country like Germany, for example, has a roughly 5% in-app conversion rate with nearly no click fraud to speak of. But in France it takes users 20% more clicks than users in Germany to convert, what Apsalar CEO Michael Oiknine referred to as an “overclick rate.”

In countries like India and Hong Kong, however, the overclick rate spikes astronomically. It takes users, or more likely bots, in those countries around 1,000% more clicks than users in Germany to reach the same conversion.

“Sure, maybe people there are just clicking more,” Oiknine said. “But to my mind, this kind of differential tells you that something is going on. To us it feels like a proxy for the level of fraud in the country.”

But all it takes is a Google search to prove that mobile fraud is reaching an unfortunate maturity.

“Type ‘purchase web traffic’ into your browser and you can see for yourself how many botnets are out there,” Yarnall said. “Now type in ‘purchase mobile traffic’ or ‘purchase app downloads’ and you’ll get millions of results for people willing to sell. Some of those people will be honest and some are going to be really shady.”

If you know what you’re getting, that’s one thing. But if you think you’re buying a luxury sports car and all you’re getting is a jalopy with a convincing new paint job, then it’s fraud. That’s how Kochava defines it, anyway.

“Any traffic that purports to be one thing and it actually something else – that’s fraud,” Manning said. “If you think you’re buying non-incentivized traffic and there’s incentivized 'Candy Crush' traffic in there, it might not be the ad network’s fault, but it is fraud.”

When Kochava detects an outlier or mislabeled blended traffic, it alerts the advertiser. From there, the advertiser can decide to take action or not.

“We proactively observe what’s going on and we alert the customer when we see it happening,” Manning said. “But we don’t just drop the click. At the end of the day, we’re a measurement company, not the jury. How you deal with the information we give you as an advertiser is your thing.”

Fraud, mobile or otherwise, is a moving target and will remain so, said Yarnall, and every industry stakeholder needs to share responsibility.

“You’re never going to see a level set for non-human traffic. When a scammer sees something working, they’ll take it and run with it as far as they can go – and then they move on,” Yarnall said. “It’s like an eternal game of whack-a-mole. The perpetrators of fraud are always going to be there."

1 Comment

  1. This is an excellent article highlighting the kind of diversity we are seeing in the ad fraud landscape at the moment. In 2005, when I started to research the topic, conversion fraud was mostly based on small-scale farming, captcha breaker software and automated form filling. Now it's increasingly based on fake transactions, or even actual small actually payments. If the payment of $0.90 or even $10 proves the bot to be a human and that bot can earn more than $10 in ad fraud thanks to it...

    For example, the argument "because we can see they are playing our games, we know they are humans" has not been valid in a long time. Playing games and engaging in other seemingly complex activities have become the every day life of bots.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>