There are many different detections that Opticks is able to perform on any given click that reaches the protected asset.
In this section we want to introduce you to Threat and Incidence concept, as well as list and explain them for your understanding.
Please be aware that each click can trigger either none, one or several of the following detections.
- A Threat is a material challenge to the marketing operations. Threats are composed of one or several incidences.
-
Incidences are the specific low-level mechanisms that allow fraudsters to carry out fraud. They materialize themselves as “Threats”.
Threat | Description | Related Incidences |
Bad bots |
A bot is an automated piece of software programmed to perform some task. Bad Bots refers to any automated software attempting to generate fraudulent income. In many cases, the Bad Bot is a malicious app on a user's device which attempts to generate profits by subscribing the user to premium services or downloading other apps. This activity occurs without the user's knowledge and the malicious app often masks itself as a legitimate app. Malicious web sites can also perform similar fraud. Other common Bad Bots are automated pieces of software running on servers. Those can generate huge amounts of fake traffic in an attempt to generate CPC income, video views, fill in lead generation forms or subscribe users to premium services. |
|
Non-compliant traffic |
Traffic that, based on the use case, can be a harmful threat.
For example, Iframe traffic can pose a risk in some cases, while in others can have its legitimate use. Another example is traffic coming from adult websites. |
|
Data tampering |
Opticks detects different types of tampered requests and abnormal behaviours, which are a clear indicator of fraud. The User Agent header identifies the device and software being used to visit the web page. In an attempt to hide their activity and access restricted content, fraudsters falsely identify the software they are using (i.e. the web browser). For example, a single bot running on a Linux server will pose as 30 different mobile browsers in order to access content meant for mobile devices while hiding the fact that all the traffic originates from the same device. Opticks can detect cases where the User Agent information is not consistent with the device features, and block the traffic. HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated. Opticks, among other checks, looks for any headers containing MSISDN information, which is a clear indication of fraud. |
|
Statistical anomalies | Besides the gathered telemetry, Opticks is able to use statistical analysis to improve the scoring of a visit. For example, Opticks analyzes the device distribution of |
|
Telemetry missing | In some cases Opticks is not able to gather the telemetry needed to perform its analysis. The main reason of this behaviour is because the devices can’t execute JavaScript because it’s purposely disabled or are too old. |
|
Incidence | Description |
Automated software |
Also known as bad bots. These are automated pieces of software running on servers, that can generate huge amounts of fake traffic in an attempt to generate CPC income, video views, fill in lead generation forms or subscribe users to premium services. |
Malicious code injected |
Opticks found some executed code known to be used by fraudsters to carry out malicious activities. |
Hidden page | The user is not seeing the marketing asset, i.e. it is being loaded in the background or outside of screen viewport. |
Tiny iframe | An iframe so small that doesn't allow the offer to be viewed by the user |
Time to conversion anomaly | Opticks found abnormal patterns in the time passing from the original click to the conversion. |
Adult traffic |
Opticks can block traffic with adult (XXX) keywords found in the HTTP Headers. This can help protect mainstream offers from receiving adult traffic. |
WASPA APK List |
This trigger is only activated for traffic from South Africa. The APK listed in the HTTP X-Requested-With is in the official body regulator of WASPA |
Iframe traffic |
An iframe (short for inline frame) is an HTML element that allows an external webpage to be embedded in an HTML document. If you are not very careful when allowing your pages to be shown within somebody else's HTML page, there is a considerable security risk. Opticks can block traffic if it finds that your page is being shown inside an Iframe. |
IP flagged for Attacks |
Opticks curates its own lists as well as subscribes to external lists of dangerous IP addresses. Dangerous IP addresses are those which have been known to generate spam, launch abuse and malware, or are known to be unreachable. |
IP flagged as Malware |
|
IP flagged for Abuse |
|
Web proxy traffic |
Proxies are used for a number of reasons such as to filter web content, to go around restrictions such as parental blocks, to screen downloads and uploads and to provide anonymity when surfing the Internet. |
Datacenter traffic |
A data center is a facility composed of networked computers. Fraudsters usually use data centers to run bot software on them. |
VPN proxy traffic |
Privacy is increased with a Virtual Private Network because the user's initial IP address is replaced with one from the Virtual Private Network provider. Subscribers can obtain an IP address from any gateway city the VPN service provides. |
Apps outside of Playstore |
The application hasn't been installed from the official Google PlayStore. Google's PlayStore security and health checks are not being passed for this app. Be aware though that fraudsters are able to mis-represent the package name of the APK they use to generate fraudulent traffic and they usually use legit APK names to avoid being blocked. |
Browser tampering |
The user is tampering information about their browser. |
OS tampering |
The user is tampering their Operative System. |
User Agent tampering |
The user is tampering their User Agent string. |
Invalid requests |
Opticks could not decrypt the communications due to some error in the transmission of data. |
MSISDN injection |
HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated. Opticks specifically looks for any headers containing MSISDN information, which is a clear indication of fraud. |
Bypass attempts |
Attempts by fraudsters trying to bypass antifraud solutions like Opticks. |
App Name tampering |
The user is tampering their app name. |
Repeated IP + fingerprint |
A Frequency Capping can be configured in Opticks per combination of IP and proprietary fingerprint, detecting likely duplicated visits from the same devices. |
Unusually high CR (low threshold) |
Traffic received in different Campaigns might have different particularities. This feature allows you to define a custom threshold percentage when detecting suspicious or dangerous conversion rate (CR) values per Campaign, allowing you to accommodate Campaign's configuration to the real characteristics of your traffic. You can set both a High and Low thresholds. |
Unusually high CR (high threshold) |
|
Unusually high subpublisher CR |
Opticks found abnormal patterns in conversion rate for certain sub-publishers or sub-sources (that deviate a lot from the general values of the rest of subpubishers). |
Unusual conversion distribution by device |
Opticks analyzes the device distribution of Campaign conversions. If this filter is selected, Opticks will block visits from suspicious devices. |
Old Generation Browsers |
Browsers no longer compliant with current standards. |
Browsers without JS support |
Block traffic without JavaScript support, for visits that can't run JavaScript. |
Comments
0 comments
Please sign in to leave a comment.