{"componentChunkName":"component---src-components-fraud-technique-js","path":"/protect-monitor/performance-fraud/web-device-spoofing","result":{"pageContext":{"category":{"id":"lead-gen-fraud","label":"Lead gen","device":"web","pageTitle":"What is lead gen fraud? - Impact","summary":"Malicious affiliates collect advertiser payouts for producing fake leads or conversion events.","fraudTechniques":[{"id":"web-bot-fraud","label":"Bot fraud (clicks)","pageTitle":"What are bot clicks - lead gen fraud - Impact","summary":"Fraud scheme operators use emulators running retained scripts or infected devices in a botnet to automate nonhuman traffic, including click events, on a large scale. This technique is especially prevalent in the cost-per-click (CPC) space. Bot clicks can even be leveraged to generate fraudulent likes and follows, effectively committing influencer fraud across social media.","steps":["Malicious publisher has registered for advertiser’s CPC affiliate program and features text links directing traffic to advertiser’s site","Malicious publisher hires a traffic broker to augment their click volumes","Traffic broker operates a large botnet, which emulates real devices/human browsing behaviors to produce invalid click traffic","Botnet is directed to malicious publisher’s site to click through the text link to advertiser’s site","Advertiser attributes credit to publisher for an invalid click event and pays them the designated CPC"]},{"id":"web-device-spoofing","label":"Device spoofing","pageTitle":"What is device spoofing - lead gen fraud - Impact","summary":"Bad actors will produce worthless engagement (clicks, form fills with stolen information, etc.) on a single device. However, a large volume of activity from the same device and cookie is easily detectable as fraud. In order to fool advertisers, bad actors will spoof their browser and operating system (OS) and reset cookies, effectively allowing one device to impersonate many.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher’s site features a fake form fill, capturing the relevant personally identifiable information (PII) to satisfy advertiser’s lead gen criteria","Malicious publisher uses emulator to send large volumes of automated traffic, first to publisher’s site and then to advertiser’s site","Malicious Publisher auto populates the real user information stolen through its fake form fill into the advertiser’s actual form fill and submits the lead","Malicious publisher simultaneously misrepresents emulator’s device ID to make the leads appear as if they are coming from multiple legitimate devices","Advertiser attributes credit to malicious publisher for each lead generated, even though they provided automated traffic and submitted stolen information, and pays malicious publisher per lead submitted"]},{"id":"web-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic - lead gen fraud - Impact","summary":"A number of affiliates are sharing commissions with end users via rebates, social gaming credits, or donations to causes. These perks incentivize users to download browser toolbars and plug-ins. But users acquired this way tend to have much lower lifetime value. Low-quality publishers will often sell this incentivized activity as normal paid traffic. In other scenarios, the bad actor will stuff a cookie when the user visits sites that participate in affiliate programs.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is incentivized to download malicious publisher’s toolbar","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes the purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-recycled-stolen-information","label":"Recycled/stolen information","pageTitle":"What is recycled/stolen information - lead gen fraud - Impact","summary":"Bad actors that defraud lead gen campaigns will submit either illegitimate information (a nonexistent person) or recycled/stolen legitimate information. In the latter case, real peoples’ personally identifiable information (PII) is bought or captured through fake lead forms and then recycled to collect cost-per-lead (CPL) payouts from multiple advertisers. This technique bypasses data validators and defrauds advertisers of their performance spend. It also damages their brand reputation among the real audience members whose information is stolen, especially when the advertiser attempts to contact a person whose PII was stolen or recycled.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher buys stolen information from a data breach on the black market","Malicious publisher then sends bot traffic through their own webpage on to advertiser’s website","Malicious publisher populates advertiser’s form fill with the stolen PII","Malicious publisher’s bot traffic submits fraudulent lead","Advertiser attributes credit to malicious publisher, even though they provided an illegitimate lead, and pays them a (generally high) percentage of revenue","Malicious publisher uses the same user’s info to replicate this process across many CPL advertisers and amplify their earnings"]},{"id":"web-unapproved-network-syndication","label":"Unapproved network syndication","pageTitle":"What is unapproved network syndication - lead gen fraud - Impact","summary":"When advertisers' demand for granular audience targeting goes beyond their scope,  publishers buy traffic to meet these overstated commitments. Unapproved traffic syndication can be difficult to untangle, especially because traffic brokers and ad networks often sell back and forth to each other in a larger arbitrage network. This means that traffic can be bought and sold a number of times before it reaches a publisher.","steps":["Malicious publisher registers for advertiser’s affiliate program and commits to deliver 1,000 clicks that month for a designated cost-per-click (CPC) buy","Unable to fulfill that order with their organic traffic, network buys supplementary click volumes from a third-party vendor","Third-party vendor’s click volumes include invalid bot traffic","Advertiser unknowingly pays original ad network for traffic including invalid clicks that provide no value."]}]},"technique":{"id":"web-device-spoofing","label":"Device spoofing","pageTitle":"What is device spoofing - lead gen fraud - Impact","summary":"Bad actors will produce worthless engagement (clicks, form fills with stolen information, etc.) on a single device. However, a large volume of activity from the same device and cookie is easily detectable as fraud. In order to fool advertisers, bad actors will spoof their browser and operating system (OS) and reset cookies, effectively allowing one device to impersonate many.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher’s site features a fake form fill, capturing the relevant personally identifiable information (PII) to satisfy advertiser’s lead gen criteria","Malicious publisher uses emulator to send large volumes of automated traffic, first to publisher’s site and then to advertiser’s site","Malicious Publisher auto populates the real user information stolen through its fake form fill into the advertiser’s actual form fill and submits the lead","Malicious publisher simultaneously misrepresents emulator’s device ID to make the leads appear as if they are coming from multiple legitimate devices","Advertiser attributes credit to malicious publisher for each lead generated, even though they provided automated traffic and submitted stolen information, and pays malicious publisher per lead submitted"]},"techniques":[{"id":"web-click-spoofing","label":"Click spoofing","pageTitle":"What is click spoofing - attribution fraud - Impact","summary":"When advertisers rely on their publishers to self-report click events server-side, they are vulnerable to click spoofing. Unchecked, a malicious publisher may trigger a click tracking event in the absence of a legitimate click.","steps":["Malicious publisher registers for an advertiser’s affiliate program","User navigates to the publisher’s website","User does not engage with an ad on the site","User visits the forum page and views the signature","Malicious publisher fires click-tracking event anyway, spoofing the user’s engagement","After some time, user navigates to the advertiser’s website organically or via another valid partner’s promotional effort","User completes a purchase","Advertiser attributes credit to the malicious publisher, even though they provided no value in driving the sale"]},{"id":"web-hidden-landing-pages","label":"Hidden landing pages","pageTitle":"What are hidden landing pages - attribution fraud - Impact","summary":"Bad actors steal attribution by loading hidden landing pages, invisible to the user, either at random or specifically targeting users likely to convert. This can be accomplished through techniques such as pixel stuffing or ad stacking. When the user does convert of her own volition, the malicious publisher that loaded an advertiser’s landing page without the user’s knowledge claims credit and gets paid.","steps":["Malicious publisher (really a torrent or streaming site) registers for an advertiser’s affiliate program","User navigates to this streaming site to watch a bootleg movie","Malicious publisher embeds its video player’s “play” button with its affiliate link","When user clicks “play,” malicious publisher loads advertiser’s website in the background, unseen by user, who continues to watch the movie","User eventually closes out of the pop-under window containing advertiser’s landing page","User organically returns to advertiser’s site at a later time","User completes purchase","Advertiser attributes credit to malicious publisher — even though they did not influence the sale — and pays them a percentage of revenue"]},{"id":"web-image-embedding","label":"Image embedding","pageTitle":"What is image embedding - attribution fraud - Impact","summary":"A publisher replaces an image’s source code with their affiliate link and then places that image on a heavily trafficked public website. While the image will not load (it will render as a broken image icon or blank space), the browser will still follow the link and read and act on cookies sent through it. This technique is relatively unrefined, but what it lacks in targeting specificity it makes up for in broad reach and zero-cost, low-effort effectiveness.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Publisher embeds a signature image with their affiliate link","Publisher posts a comment on a high traffic forum with the signature appended","User visits the forum page and views the signature","User has malicious publisher’s cookie dropped on their browser and is redirected to advertiser’s website","Some time later, user intentionally and organically returns to advertiser’s website to shop and makes a purchase","Advertiser attributes credit to the malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-malvertising","label":"Malvertising","pageTitle":"What is malvertising - attribution fraud - Impact","summary":"In the case of malvertising, bad actors pose as advertisers and buy ad space. In the meantime, they serve serve creatives that have been embedded with malicious JavaScript. This hidden code can force clicks to advertiser sites, as well as download malware onto the user’s device. They’re forcing attribution — and paying themselves — through illicit manipulation.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is browsing normally and navigates to a page with advertisements","Malicious publisher acts like an advertiser in a programmatic ad buying situation and engages a Demand Side Platform (DSP) to buy display inventory on that page","Malicious publisher delivers compromised ad creative embedded with malicious code that redirects user to publisher’s site","With this redirect, malicious publisher drops a cookie","User later completes a purchase on advertiser’s site","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale and in fact compromised advertiser’s brand integrity with a forced redirect. Advertiser then pays them a percentage of revenue"]},{"id":"web-sneaky-redirects","label":"Sneaky redirects","pageTitle":"What are sneaky redirects - attribution fraud - Impact","summary":"Redirecting is the act of sending a visitor to a different URL than the one they initially requested. While not all redirects are malicious, a bad actor can purchase a domain name that is a misspelled version of an advertiser’s domain. The malicious publisher will then redirect users who accidentally navigate to the misspelled domain to the advertiser’s site, effectively generating an illegitimate click. In this scenario, the user was actually organic and the advertiser should not have paid any affiliate for the click. <a href='https://recordit.co/uOMyTFKqtt' target='_blank'>Watch this video</a> to see a sneaky redirect in action.","steps":["Malicious publisher owns a domain that is a common misspelling of an advertiser’s domain name and registers for that advertiser’s affiliate program","User intends to visit that advertiser’s website but mistypes and enters the misspelled URL instead","User goes to malicious publisher’s misspelled domain, which drops a cookie on user’s browser","Malicious publisher promptly sends user to advertiser’s website with a 302 redirect","User makes the purchase he originally set out to make","Advertiser attributes credit to malicious publisher, even though user was going to make the purchase organically, and pays them a percentage of revenue"]},{"id":"web-toolbar-injection","label":"Toolbar injection","pageTitle":"What is toolbar injection - attribution fraud - Impact","summary":"A malicious browser extension (think toolbar plug-in) injects cookies into the browser as a user navigates, feigning credit for an organically occurring event.","steps":["Malicious publisher has previously registered for advertiser’s affiliate program","User downloads a malicious publisher’s toolbar plug-in","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes their purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-bot-fraud","label":"Bot fraud (clicks)","pageTitle":"What are bot clicks - lead gen fraud - Impact","summary":"Fraud scheme operators use emulators running retained scripts or infected devices in a botnet to automate nonhuman traffic, including click events, on a large scale. This technique is especially prevalent in the cost-per-click (CPC) space. Bot clicks can even be leveraged to generate fraudulent likes and follows, effectively committing influencer fraud across social media.","steps":["Malicious publisher has registered for advertiser’s CPC affiliate program and features text links directing traffic to advertiser’s site","Malicious publisher hires a traffic broker to augment their click volumes","Traffic broker operates a large botnet, which emulates real devices/human browsing behaviors to produce invalid click traffic","Botnet is directed to malicious publisher’s site to click through the text link to advertiser’s site","Advertiser attributes credit to publisher for an invalid click event and pays them the designated CPC"]},{"id":"web-device-spoofing","label":"Device spoofing","pageTitle":"What is device spoofing - lead gen fraud - Impact","summary":"Bad actors will produce worthless engagement (clicks, form fills with stolen information, etc.) on a single device. However, a large volume of activity from the same device and cookie is easily detectable as fraud. In order to fool advertisers, bad actors will spoof their browser and operating system (OS) and reset cookies, effectively allowing one device to impersonate many.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher’s site features a fake form fill, capturing the relevant personally identifiable information (PII) to satisfy advertiser’s lead gen criteria","Malicious publisher uses emulator to send large volumes of automated traffic, first to publisher’s site and then to advertiser’s site","Malicious Publisher auto populates the real user information stolen through its fake form fill into the advertiser’s actual form fill and submits the lead","Malicious publisher simultaneously misrepresents emulator’s device ID to make the leads appear as if they are coming from multiple legitimate devices","Advertiser attributes credit to malicious publisher for each lead generated, even though they provided automated traffic and submitted stolen information, and pays malicious publisher per lead submitted"]},{"id":"web-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic - lead gen fraud - Impact","summary":"A number of affiliates are sharing commissions with end users via rebates, social gaming credits, or donations to causes. These perks incentivize users to download browser toolbars and plug-ins. But users acquired this way tend to have much lower lifetime value. Low-quality publishers will often sell this incentivized activity as normal paid traffic. In other scenarios, the bad actor will stuff a cookie when the user visits sites that participate in affiliate programs.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is incentivized to download malicious publisher’s toolbar","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes the purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]},{"id":"web-recycled-stolen-information","label":"Recycled/stolen information","pageTitle":"What is recycled/stolen information - lead gen fraud - Impact","summary":"Bad actors that defraud lead gen campaigns will submit either illegitimate information (a nonexistent person) or recycled/stolen legitimate information. In the latter case, real peoples’ personally identifiable information (PII) is bought or captured through fake lead forms and then recycled to collect cost-per-lead (CPL) payouts from multiple advertisers. This technique bypasses data validators and defrauds advertisers of their performance spend. It also damages their brand reputation among the real audience members whose information is stolen, especially when the advertiser attempts to contact a person whose PII was stolen or recycled.","steps":["Malicious publisher has registered for advertiser’s lead gen campaign","Malicious publisher buys stolen information from a data breach on the black market","Malicious publisher then sends bot traffic through their own webpage on to advertiser’s website","Malicious publisher populates advertiser’s form fill with the stolen PII","Malicious publisher’s bot traffic submits fraudulent lead","Advertiser attributes credit to malicious publisher, even though they provided an illegitimate lead, and pays them a (generally high) percentage of revenue","Malicious publisher uses the same user’s info to replicate this process across many CPL advertisers and amplify their earnings"]},{"id":"web-unapproved-network-syndication","label":"Unapproved network syndication","pageTitle":"What is unapproved network syndication - lead gen fraud - Impact","summary":"When advertisers' demand for granular audience targeting goes beyond their scope,  publishers buy traffic to meet these overstated commitments. Unapproved traffic syndication can be difficult to untangle, especially because traffic brokers and ad networks often sell back and forth to each other in a larger arbitrage network. This means that traffic can be bought and sold a number of times before it reaches a publisher.","steps":["Malicious publisher registers for advertiser’s affiliate program and commits to deliver 1,000 clicks that month for a designated cost-per-click (CPC) buy","Unable to fulfill that order with their organic traffic, network buys supplementary click volumes from a third-party vendor","Third-party vendor’s click volumes include invalid bot traffic","Advertiser unknowingly pays original ad network for traffic including invalid clicks that provide no value."]}],"previousTechnique":{"id":"web-bot-fraud","label":"Bot fraud (clicks)","pageTitle":"What are bot clicks - lead gen fraud - Impact","summary":"Fraud scheme operators use emulators running retained scripts or infected devices in a botnet to automate nonhuman traffic, including click events, on a large scale. This technique is especially prevalent in the cost-per-click (CPC) space. Bot clicks can even be leveraged to generate fraudulent likes and follows, effectively committing influencer fraud across social media.","steps":["Malicious publisher has registered for advertiser’s CPC affiliate program and features text links directing traffic to advertiser’s site","Malicious publisher hires a traffic broker to augment their click volumes","Traffic broker operates a large botnet, which emulates real devices/human browsing behaviors to produce invalid click traffic","Botnet is directed to malicious publisher’s site to click through the text link to advertiser’s site","Advertiser attributes credit to publisher for an invalid click event and pays them the designated CPC"]},"nextTechnique":{"id":"web-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic - lead gen fraud - Impact","summary":"A number of affiliates are sharing commissions with end users via rebates, social gaming credits, or donations to causes. These perks incentivize users to download browser toolbars and plug-ins. But users acquired this way tend to have much lower lifetime value. Low-quality publishers will often sell this incentivized activity as normal paid traffic. In other scenarios, the bad actor will stuff a cookie when the user visits sites that participate in affiliate programs.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User is incentivized to download malicious publisher’s toolbar","User goes to advertiser’s website to shop","User starts adding things to their shopping cart","Before completing checkout, the toolbar drops a cookie in user’s browser, claiming credit for driving the sale","User completes the purchase","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the sale, and pays them a percentage of revenue"]}}}}