{"componentChunkName":"component---src-components-fraud-category-js","path":"/protect-monitor/performance-fraud/attribution-fraud","result":{"pageContext":{"category":{"id":"attribution-fraud","label":"Web attribution","device":"web","pageTitle":"What is attribution fraud? - Impact","summary":"In these fraud tactics, bad actors steal or fabricate clicks to claim attribution for leads or conversions. They then collect premium payouts although they did not contribute any value along the conversion path.","fraudTechniques":[{"id":"web-click-spoofing","label":"Click spoofing","pageTitle":"What is click spoofing - attribution fraud - Impact","summary":"When advertisers rely on their publishers to self-report click events server-side, they are vulnerable to click spoofing. Unchecked, a malicious publisher may trigger a click tracking event in the absence of a legitimate click.","steps":["Malicious publisher registers for an advertiser’s affiliate program","User navigates to the publisher’s website","User does not engage with an ad on the site","User visits the forum page and views the signature","Malicious publisher fires click-tracking event anyway, spoofing the user’s engagement","After some time, user navigates to the advertiser’s website organically or via another valid partner’s promotional effort","User completes a purchase","Advertiser attributes credit to the malicious publisher, even though they provided no value in driving the sale"]},{"id":"web-hidden-landing-pages","label":"Hidden landing pages","pageTitle":"What are hidden landing pages - attribution fraud - Impact","summary":"Bad actors steal attribution by loading hidden landing pages, invisible to the user, either at random or specifically targeting users likely to convert. This can be accomplished through techniques such as pixel stuffing or ad stacking. When the user does convert of her own volition, the malicious publisher that loaded an advertiser’s landing page without the user’s knowledge claims credit and gets paid.","steps":["Malicious publisher (really a torrent or streaming site) registers for an advertiser’s affiliate program","User navigates to this streaming site to watch a bootleg movie","Malicious publisher embeds its video player’s “play” button with its affiliate link","When user clicks “play,” malicious publisher loads advertiser’s website in the background, unseen by user, who continues to watch the movie","User eventually closes out of the pop-under window containing advertiser’s landing page","User organically returns to advertiser’s site at a later time","User completes purchase","Advertiser attributes credit to malicious publisher — even though they did not influence the sale — and pays them a percentage of revenue"]},{"id":"web-image-embedding","label":"Image embedding","pageTitle":"What is image embedding - attribution fraud - Impact","summary":"A publisher replaces an image’s source code with their affiliate link and then places that image on a heavily trafficked public website. While the image will not load (it will render as a broken image icon or blank space), the browser will still follow the link and read and act on cookies sent through it. This technique is relatively unrefined, but what it lacks in targeting specificity it makes up for in broad reach and zero-cost, low-effort effectiveness.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Publisher embeds a signature image with their affiliate link","Publisher posts a comment on a high traffic forum with the signature appended","User visits the forum page and views the signature","User has malicious publisher’s cookie dropped on their browser and is redirected to advertiser’s website","Some time later, user intentionally and organically returns to advertiser’s website to shop and makes a purchase","Advertiser attributes credit to the malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-malvertising","label":"Malvertising","pageTitle":"What is malvertising - attribution fraud - Impact","summary":"In the case of malvertising, bad actors pose as advertisers and buy ad space. In the meantime, they serve serve creatives that have been embedded with malicious JavaScript. This hidden code can force clicks to advertiser sites, as well as download malware onto the user’s device. They’re forcing attribution — and paying themselves — through illicit manipulation.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is browsing normally and navigates to a page with advertisements","Malicious publisher acts like an advertiser in a programmatic ad buying situation and engages a Demand Side Platform (DSP) to buy display inventory on that page","Malicious publisher delivers compromised ad creative embedded with malicious code that redirects user to publisher’s site","With this redirect, malicious publisher drops a cookie","User later completes a purchase on advertiser’s site","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale and in fact compromised advertiser’s brand integrity with a forced redirect. Advertiser then pays them a percentage of revenue"]},{"id":"web-sneaky-redirects","label":"Sneaky redirects","pageTitle":"What are sneaky redirects - attribution fraud - Impact","summary":"Redirecting is the act of sending a visitor to a different URL than the one they initially requested. While not all redirects are malicious, a bad actor can purchase a domain name that is a misspelled version of an advertiser’s domain. The malicious publisher will then redirect users who accidentally navigate to the misspelled domain to the advertiser’s site, effectively generating an illegitimate click. In this scenario, the user was actually organic and the advertiser should not have paid any affiliate for the click. <a href='https://recordit.co/uOMyTFKqtt' target='_blank'>Watch this video</a> to see a sneaky redirect in action.","steps":["Malicious publisher owns a domain that is a common misspelling of an advertiser’s domain name and registers for that advertiser’s affiliate program","User intends to visit that advertiser’s website but mistypes and enters the misspelled URL instead","User goes to malicious publisher’s misspelled domain, which drops a cookie on user’s browser","Malicious publisher promptly sends user to advertiser’s website with a 302 redirect","User makes the purchase he originally set out to make","Advertiser attributes credit to malicious publisher, even though user was going to make the purchase organically, and pays them a percentage of revenue"]},{"id":"web-toolbar-injection","label":"Toolbar injection","pageTitle":"What is toolbar injection - attribution fraud - Impact","summary":"A malicious browser extension (think toolbar plug-in) injects cookies into the browser as a user navigates, feigning credit for an organically occurring event.","steps":["Malicious publisher has previously registered for advertiser’s affiliate program","User downloads a malicious publisher’s toolbar plug-in","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes their purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]}]},"categories":[{"id":"attribution-fraud","label":"Web attribution","device":"web","pageTitle":"What is attribution fraud? - Impact","summary":"In these fraud tactics, bad actors steal or fabricate clicks to claim attribution for leads or conversions. They then collect premium payouts although they did not contribute any value along the conversion path.","fraudTechniques":[{"id":"web-click-spoofing","label":"Click spoofing","pageTitle":"What is click spoofing - attribution fraud - Impact","summary":"When advertisers rely on their publishers to self-report click events server-side, they are vulnerable to click spoofing. Unchecked, a malicious publisher may trigger a click tracking event in the absence of a legitimate click.","steps":["Malicious publisher registers for an advertiser’s affiliate program","User navigates to the publisher’s website","User does not engage with an ad on the site","User visits the forum page and views the signature","Malicious publisher fires click-tracking event anyway, spoofing the user’s engagement","After some time, user navigates to the advertiser’s website organically or via another valid partner’s promotional effort","User completes a purchase","Advertiser attributes credit to the malicious publisher, even though they provided no value in driving the sale"]},{"id":"web-hidden-landing-pages","label":"Hidden landing pages","pageTitle":"What are hidden landing pages - attribution fraud - Impact","summary":"Bad actors steal attribution by loading hidden landing pages, invisible to the user, either at random or specifically targeting users likely to convert. This can be accomplished through techniques such as pixel stuffing or ad stacking. When the user does convert of her own volition, the malicious publisher that loaded an advertiser’s landing page without the user’s knowledge claims credit and gets paid.","steps":["Malicious publisher (really a torrent or streaming site) registers for an advertiser’s affiliate program","User navigates to this streaming site to watch a bootleg movie","Malicious publisher embeds its video player’s “play” button with its affiliate link","When user clicks “play,” malicious publisher loads advertiser’s website in the background, unseen by user, who continues to watch the movie","User eventually closes out of the pop-under window containing advertiser’s landing page","User organically returns to advertiser’s site at a later time","User completes purchase","Advertiser attributes credit to malicious publisher — even though they did not influence the sale — and pays them a percentage of revenue"]},{"id":"web-image-embedding","label":"Image embedding","pageTitle":"What is image embedding - attribution fraud - Impact","summary":"A publisher replaces an image’s source code with their affiliate link and then places that image on a heavily trafficked public website. While the image will not load (it will render as a broken image icon or blank space), the browser will still follow the link and read and act on cookies sent through it. This technique is relatively unrefined, but what it lacks in targeting specificity it makes up for in broad reach and zero-cost, low-effort effectiveness.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Publisher embeds a signature image with their affiliate link","Publisher posts a comment on a high traffic forum with the signature appended","User visits the forum page and views the signature","User has malicious publisher’s cookie dropped on their browser and is redirected to advertiser’s website","Some time later, user intentionally and organically returns to advertiser’s website to shop and makes a purchase","Advertiser attributes credit to the malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-malvertising","label":"Malvertising","pageTitle":"What is malvertising - attribution fraud - Impact","summary":"In the case of malvertising, bad actors pose as advertisers and buy ad space. In the meantime, they serve serve creatives that have been embedded with malicious JavaScript. This hidden code can force clicks to advertiser sites, as well as download malware onto the user’s device. They’re forcing attribution — and paying themselves — through illicit manipulation.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is browsing normally and navigates to a page with advertisements","Malicious publisher acts like an advertiser in a programmatic ad buying situation and engages a Demand Side Platform (DSP) to buy display inventory on that page","Malicious publisher delivers compromised ad creative embedded with malicious code that redirects user to publisher’s site","With this redirect, malicious publisher drops a cookie","User later completes a purchase on advertiser’s site","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale and in fact compromised advertiser’s brand integrity with a forced redirect. Advertiser then pays them a percentage of revenue"]},{"id":"web-sneaky-redirects","label":"Sneaky redirects","pageTitle":"What are sneaky redirects - attribution fraud - Impact","summary":"Redirecting is the act of sending a visitor to a different URL than the one they initially requested. While not all redirects are malicious, a bad actor can purchase a domain name that is a misspelled version of an advertiser’s domain. The malicious publisher will then redirect users who accidentally navigate to the misspelled domain to the advertiser’s site, effectively generating an illegitimate click. In this scenario, the user was actually organic and the advertiser should not have paid any affiliate for the click. <a href='https://recordit.co/uOMyTFKqtt' target='_blank'>Watch this video</a> to see a sneaky redirect in action.","steps":["Malicious publisher owns a domain that is a common misspelling of an advertiser’s domain name and registers for that advertiser’s affiliate program","User intends to visit that advertiser’s website but mistypes and enters the misspelled URL instead","User goes to malicious publisher’s misspelled domain, which drops a cookie on user’s browser","Malicious publisher promptly sends user to advertiser’s website with a 302 redirect","User makes the purchase he originally set out to make","Advertiser attributes credit to malicious publisher, even though user was going to make the purchase organically, and pays them a percentage of revenue"]},{"id":"web-toolbar-injection","label":"Toolbar injection","pageTitle":"What is toolbar injection - attribution fraud - Impact","summary":"A malicious browser extension (think toolbar plug-in) injects cookies into the browser as a user navigates, feigning credit for an organically occurring event.","steps":["Malicious publisher has previously registered for advertiser’s affiliate program","User downloads a malicious publisher’s toolbar plug-in","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes their purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]}]},{"id":"lead-gen-fraud","label":"Lead gen","device":"web","pageTitle":"What is lead gen fraud? - Impact","summary":"Malicious affiliates collect advertiser payouts for producing fake leads or conversion events.","fraudTechniques":[{"id":"web-bot-fraud","label":"Bot fraud (clicks)","pageTitle":"What are bot clicks - lead gen fraud - Impact","summary":"Fraud scheme operators use emulators running retained scripts or infected devices in a botnet to automate nonhuman traffic, including click events, on a large scale. This technique is especially prevalent in the cost-per-click (CPC) space. Bot clicks can even be leveraged to generate fraudulent likes and follows, effectively committing influencer fraud across social media.","steps":["Malicious publisher has registered for advertiser’s CPC affiliate program and features text links directing traffic to advertiser’s site","Malicious publisher hires a traffic broker to augment their click volumes","Traffic broker operates a large botnet, which emulates real devices/human browsing behaviors to produce invalid click traffic","Botnet is directed to malicious publisher’s site to click through the text link to advertiser’s site","Advertiser attributes credit to publisher for an invalid click event and pays them the designated CPC"]},{"id":"web-device-spoofing","label":"Device spoofing","pageTitle":"What is device spoofing - lead gen fraud - Impact","summary":"Bad actors will produce worthless engagement (clicks, form fills with stolen information, etc.) on a single device. However, a large volume of activity from the same device and cookie is easily detectable as fraud. In order to fool advertisers, bad actors will spoof their browser and operating system (OS) and reset cookies, effectively allowing one device to impersonate many.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher’s site features a fake form fill, capturing the relevant personally identifiable information (PII) to satisfy advertiser’s lead gen criteria","Malicious publisher uses emulator to send large volumes of automated traffic, first to publisher’s site and then to advertiser’s site","Malicious Publisher auto populates the real user information stolen through its fake form fill into the advertiser’s actual form fill and submits the lead","Malicious publisher simultaneously misrepresents emulator’s device ID to make the leads appear as if they are coming from multiple legitimate devices","Advertiser attributes credit to malicious publisher for each lead generated, even though they provided automated traffic and submitted stolen information, and pays malicious publisher per lead submitted"]},{"id":"web-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic - lead gen fraud - Impact","summary":"A number of affiliates are sharing commissions with end users via rebates, social gaming credits, or donations to causes. These perks incentivize users to download browser toolbars and plug-ins. But users acquired this way tend to have much lower lifetime value. Low-quality publishers will often sell this incentivized activity as normal paid traffic. In other scenarios, the bad actor will stuff a cookie when the user visits sites that participate in affiliate programs.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is incentivized to download malicious publisher’s toolbar","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes the purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-recycled-stolen-information","label":"Recycled/stolen information","pageTitle":"What is recycled/stolen information - lead gen fraud - Impact","summary":"Bad actors that defraud lead gen campaigns will submit either illegitimate information (a nonexistent person) or recycled/stolen legitimate information. In the latter case, real peoples’ personally identifiable information (PII) is bought or captured through fake lead forms and then recycled to collect cost-per-lead (CPL) payouts from multiple advertisers. This technique bypasses data validators and defrauds advertisers of their performance spend. It also damages their brand reputation among the real audience members whose information is stolen, especially when the advertiser attempts to contact a person whose PII was stolen or recycled.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher buys stolen information from a data breach on the black market","Malicious publisher then sends bot traffic through their own webpage on to advertiser’s website","Malicious publisher populates advertiser’s form fill with the stolen PII","Malicious publisher’s bot traffic submits fraudulent lead","Advertiser attributes credit to malicious publisher, even though they provided an illegitimate lead, and pays them a (generally high) percentage of revenue","Malicious publisher uses the same user’s info to replicate this process across many CPL advertisers and amplify their earnings"]},{"id":"web-unapproved-network-syndication","label":"Unapproved network syndication","pageTitle":"What is unapproved network syndication - lead gen fraud - Impact","summary":"When advertisers' demand for granular audience targeting goes beyond their scope,  publishers buy traffic to meet these overstated commitments. Unapproved traffic syndication can be difficult to untangle, especially because traffic brokers and ad networks often sell back and forth to each other in a larger arbitrage network. This means that traffic can be bought and sold a number of times before it reaches a publisher.","steps":["Malicious publisher registers for advertiser’s affiliate program and commits to deliver 1,000 clicks that month for a designated cost-per-click (CPC) buy","Unable to fulfill that order with their organic traffic, network buys supplementary click volumes from a third-party vendor","Third-party vendor’s click volumes include invalid bot traffic","Advertiser unknowingly pays original ad network for traffic including invalid clicks that provide no value."]}]},{"id":"install-attribution-fraud","label":"Install attribution","device":"mobile","pageTitle":"What is app install attribution fraud? - Impact","summary":"Unscrupulous partners exploit advertisers’ cost-per-install (CPI) campaigns by stealing or fabricating credit and then collecting revenue for driving an app install.","fraudTechniques":[{"id":"mobile-click-flooding","label":"Click flooding","pageTitle":"What is click flooding - install attribution fraud - Impact","summary":"An especially pernicious publisher may use their app to hijack a user’s phone and generate hundreds of ads in the phone’s background, also triggering automatic click events for each of those ads. These click events are intended to game advertiser’s CPI attribution models and occasionally may redirect the user to an app store.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User downloads malicious publisher’s app","App hijacks user’s device, loading hundreds of ads in the phone’s background and triggering automated click events for each ad","Click event may redirect user to the app store","At some later time, user organically downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue"]},{"id":"mobile-click-injection","label":"Click injection","pageTitle":"What is click injection - install attribution fraud - Impact","summary":"Click injection is a technique for winning last click attribution in CPI campaigns. It’s enabled on Android phones when a bad actor includes app code that uses the Android feature “Install Broadcast” to continuously monitor a user’s device for new installs. Based on this information, the publisher can send fake clicks just before payable post-install events occur.","steps":["Malicious publisher has registered for advertiser’s affiliate program that pays for installs once user has opened advertiser’s app","User downloads malicious publisher’s app","App features code that allows it to monitor user’s Android for all new installs","Malicious publisher’s app detects that user has just downloaded advertiser’s app","Malicious publisher injects fake click event","User opens advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue"]},{"id":"mobile-click-spoofing","label":"Click spoofing","pageTitle":"What is click spoofing - install attribution fraud - Impact","summary":"When advertisers rely on their publishers to self-report mobile click events server-side, they may be paying a fraudulent partner for reported clicks that never actually occurred. Unchecked, a malicious publisher may trigger a mobile click-tracking event in the absence of a legitimate click and claim attribution for organic installs or installs driven by other legitimate partners.","steps":["Malicious publisher registers for an advertiser’s affiliate program","User navigates to malicious publisher’s mobile website","User does not engage with an ad on the site","Malicious publisher fires click-tracking event anyway, mimicking or “spoofing” user’s engagement","After some time, user navigates to the app store organically or via a valid partner’s promotional effort","User downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install"]},{"id":"mobile-malvertising","label":"Malvertising","pageTitle":"What is malvertising - install attribution fraud - Impact","summary":"Malvertising can also be used to corrupt install attribution models. This technique occurs when bad actors purchase impressions to distribute ads they’ve injected with malicious code to trigger clicks to app stores. As these malicious ads send users to app stores without their consent, the often-innocent publishers that host malvertising collaterally suffer for providing poor user experience.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User navigates to a mobile website","Website renders an ad with compromised HTML5 creative embedded with publisher’s affiliate link and malicious code to trigger a click event","Illicit click sends user to the Google Play store","In the future, user downloads advertiser’s app from the Google Play store of their own volition","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue"]}]},{"id":"install-fraud","label":"Install","device":"mobile","pageTitle":"What is app install fraud? - Impact","summary":"Bad actors game advertisers’ CPI campaigns by collecting revenue for driving suspicious app installs where installers have zero intention of actually using the app.","fraudTechniques":[{"id":"mobile-device-id-reset-marathons","label":"Device ID reset marathons","pageTitle":"What is device ID reset marathons  - install fraud - Impact","summary":"Install farms or automated device emulators can exercise device ID reset marathons to replicate their exploitation ad nauseam, making the same activities only appear as if they are happening across many different devices.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Install farm worker clicks through from publisher site to app store","Install farm worker downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue","Install farm worker deletes advertiser’s app","Install farm worker resets the phone in order to obtain a new device ID","Participant in the install farm then repeats the process over and over to capture more CPI revenue"]},{"id":"mobile-inauthentic-engagement","label":"Inauthentic engagement","pageTitle":"What is inauthentic engagement - install fraud - Impact","summary":"By way of paid human engagement farms or scripted retention, fraud scheme operators will enact or automate post-install engagement if that is the advertiser’s payable event. For example, the bad actor may navigate past a certain level in a game to simulate authentic user engagement.","steps":["Malicious publisher has registered for advertiser’s CPI campaign, which only rewards a partner for driving an install after user has leveled up in the app","Malicious publisher sends proxied, automated traffic to a botnet of mobile devices","Malicious publisher installs advertiser’s app on all botnet member devices","Malicious publisher instructs botnet member devices to not just install advertiser’s app, but also to open the app and engage with the game up to the point of the first level-up","Advertiser attributes credit to malicious publisher for every install that reached level one, even though all installs came from bots programmed to play the app"]},{"id":"mobile-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic (un/mislabeled) - install fraud - Impact","summary":"Certain affiliates have been incentivizing installs by sharing their commissions with end users via benefits like rebates, social gaming credits, or donations to causes. When this incentivized traffic is unlabeled or mislabeled as non-incentivized traffic, it fraudulently collects a higher CPI payout than it’s actually worth as users coming from an incentivized download generally provides less long-term value to an advertiser.","steps":["Malicious publisher has registered for advertiser’s CPI campaign","User navigates to malicious publisher’s site","User is incentivized by malicious publisher site to download advertiser’s app, based on the promise of five extra lives in the app’s game","Malicious publisher does not label traffic as incentivized","User installs advertiser’s app","Advertiser attributes credit to and pays malicious publisher as if the install was not incentivized, meaning malicious publisher received payment for more value than it actually delivered"]},{"id":"mobile-proxy-tunneling","label":"Proxy tunneling","pageTitle":"What is proxy tunneling - install fraud - Impact","summary":"A malicious app, installed across a large share of mobile devices, can install malware that effectively converts that network of phones into a mobile botnet. This mobile botnet is remotely controlled by a botnet operator, which can leverage the hijacked IP of the device to mask the location of the operator while committing install fraud on a large scale.","steps":["Malicious publisher has registered for advertiser’s large CPI program","User downloads malicious publisher’s app","App installs malware that makes user’s device a member device of an operator’s botnet","Botnet operator reverse engineers the postback codes sent by advertiser’s app from its tracking software development kit (SDK) to the SDK’s servers","Botnet operator tunnels through proxy to instruct user’s infected device to send out a fake, manipulated postback signal to the same SDK servers to indicate that an install has taken place (even though it has not and user is none the wiser)","Advertiser attributes credit to malicious publisher, even though they provided no value and did not actually drive an install, and pays them a percentage of revenue"]},{"id":"mobile-install-farms","label":"Install farms","pageTitle":"What are app install farms - install fraud - Impact","summary":"Install farms employ hundreds of low-cost workers with real phones to install the apps of advertisers that reward partners on a CPI basis. In other cases, a fraud operator may set up a script within a mobile device emulator that automates the process of generating fake installs and in-app activity.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Install farm worker uses one or multiple devices at once to navigate to malicious publisher’s site","Install farm worker clicks through from malicious publisher site to app store","Install farm worker downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the useless install, and pays them a percentage of revenue"]}]}]}}}