⚠️ N.B. We have updated the way we categorise the different detections and fraud vehicles explained in this article. Please check the Threats and Incidences list article for the updated version of this document, as it should only be used as reference for older data.
There are many different detections that Opticks is able to perform on any given click that reaches the protected asset. Please be aware that each click can trigger either none, one or several of the following detections.
- Automated Software: also known as bad bots. These are automated pieces of software running on servers, that can generate huge amounts of fake traffic in an attempt to generate CPC income, video views, fill in lead generation forms or subscribe users to premium services.
- Malicious code found: Opticks found some executed code known to be used by fraudsters to carry out malicious activities.
- Offer not rendered: the user is not seeing the marketing asset, i.e. it is being loaded in the background or outside of screen viewport.
- Blacklisted APK: traffic is identified to be originating from an app included in your APK blacklist.
- WASPA List: this trigger is only activated for traffic from South Africa. The APK listed in the HTTP X-Requested-With is in the official body regulator of WASPA .
The User Agent header identifies the device and software being used to visit the web page. In an attempt to hide their activity and access restricted content, fraudsters mis-represent the software they are using (i.e. the web browser).
Opticks can detect cases where the User Agent information is not consistent with the device features, and block the traffic.
- OS tampering: user is tampering their Operative System.
- User Agent tampering: user is tampering their User Agent.
- Browser tampering: user is tampering information about their browser.
- Old generation browser: browsers no longer compliant with current standards.
- MSISDN Injection: HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated. Opticks specifically looks for any headers containing MSISDN information, which is a clear indication of fraud.
- Invalid Requests: Opticks could not decrypt the communications due to some error in the transmission of data.
- Invalid App name: traffic that is using invalid package names. Package names have to comply with an industry standard; otherwise fraudsters are masking fraudulent traffic.
- Bypass Attempt: attempts by fraudsters trying to bypass antifraud solutions like Opticks.
Opticks curates its own lists as well as subscribes to external lists of dangerous IP addresses. Dangerous IP addresses are those which have been known to generate spam, launch abuse and malware, or are know to be unreachable.
- IP flagged for Abuse
- IP flagged for Attacks
- IP flagged as Malware
- Web proxy: proxies are used for a number of reasons such as to filter web content, to go around restrictions such as parental blocks, to screen downloads and uploads and to provide anonymity when surfing the Internet.
- VPN proxy: privacy is increased with a Virtual Private Network because the user's initial IP address is replaced with one from the Virtual Private Network provider. Subscribers can obtain an IP address from any gateway city the VPN service provides.
- Datacenter traffic: A data center is a facility composed of networked computers. Fraudsters usually use data centers to run bot software on them.
- Google Proxy: Check this option to block Google Data Saver traffic. If Google Data Saver can’t access your Campaign, Chrome will try accessing normally.
- Opera Mini Proxy: Opera traffic in itself is not suspicious, but you may want to block it. When Opera users activate data saving capabilities they are hidden under a proxy, not revealing their real IP.
- Iframe: An iframe (short for inline frame) is an HTML element that allows an external webpage to be embedded in an HTML document. If you are not very careful when allowing your pages to be shown within somebody else's HTML page, there is a considerable security risk. Opticks can block traffic if it finds that your page is being shown inside an Iframe.
- Tiny Iframe: an iframe so small that doesn't allow the offer to be viewed by the user.
- Non-PlayStore APK: the application hasn't been installed from the official Google PlayStore. Google's PlayStore security and health checks are not being passed for this app. Be aware though that fraudsters are able to mis-represent the package name of the APK they use to generate fraudulent traffic and they usually use legit APK names to avoid being blocked.
- Adult keywords in headers: Opticks can block traffic with adult (XXX) keywords found in the HTTP Headers. This can help protect mainstream offers from receiving adult traffic.
- Repeated IP + Fingerprint: a Frequency Capping can be configured per combination of IP and proprietary fingerprint, detecting likely duplicated visits from the same devices.
- Suspicious device conversions distribution: Opticks analyzes the device distribution of Campaign conversions. If this filter is selected, Opticks will block visits from suspicious devices.
Suspicious conversion patterns
- Click to conversion time anomaly: Opticks found abnormal patters in the time passing from the original click to the conversion.
- Sub-publisher CR Anomaly: Opticks found abnormal patterns in conversion rate for certain sub-publishers or sub-sources.
Traffic received in different Campaigns might have different particularities. This feature allows you to define a custom threshold percentage when detecting suspicious or dangerous conversion rate (CR) values per Campaign, allowing you to accommodate Campaign's configuration to the real characteristics of your traffic:
- CR above low threshold
- CR above high threshold