Sven Hezelsven@24metrics.com

Example Company Inc.• Monthly Marketing Spend $ 150.000

• Commission Payout

$ 5

• Percentage of Fraud

15%

Annual Financial Damage

$ 270.000

AN OVERVIEW OF FRAUD

IS YOUR TRAFFIC HIGH-QUALITY?

Our research suggests that 18% of all Paid Web Traffic is Fraudulent.

It goes further than that with Mobile where Fraud can be as high as 40%.

THE NETWORK DIAGRAM

ADVERTISER

Network 1 Network 2

Affiliate 1 Affiliate 2 Affiliate 3

Your traffic presumably comes from a limited number of affiliate ID’s.

Only a careful and complex analysis can bring your business back on the right track.

FRAUDSTER

COMMON BEST PRACTICES

• ARPU Analysis

• Referer URL Checks

• Affiliate Screening• Conversion Rate

Analysis

• IP Address Checks

BUT IN REALITY …ADVERTISER

Network 1 Network 2

Affiliate 1 Network 3Affiliate 2 Affiliate 3

Sub-affiliate 1

FRAUDSTER

Networks are very often signed up as affiliates to other networks.

Fraudsters can only be driven away for a limited time.

ISSUES WITH FRAUD SCREENING

• Analysis require at least 300 conversions

• Precious time is wasted• Affiliates sign up under multiple fake

accounts• Networks exchange offers between them• Analytics takes a minimum of 2 weeks• No permanent exclusion possible

and fraudsters simply keep at it …

FIRST STEPS TO TACKLING FRAUD

Check your affiliate’s IP on sign-up, as it might be a proxy.

Limit countries that can join in.

Ask for SMS validation on Signup.

Analyse your Traffic (IP-Addresses, ConversionRates, User Agents …)

Try to minimize fraud instead of attempting to achieve 100%

Suspicious Spikes

Plot Graphs to check Conversion Volume.

Spiking Affiliate Traffic (especially from unknown affiliates are very often fraudulent)

ClicksConvs

Hours

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 300

10

20

30

40

50

60

70

Affiliate 1 Affiliate 2 Affiliate 3

!Check with Affiliate

CONVERSION RATE ANALYSIS

Gain new insights by checking daily and hourly conversion rates.

You can easily plot similar graphs in Excel or Google Sheets.

ClicksConvs

Hours

PROXY DETECTION

Proxies are very often identifiable just by their name.

There are a variety of free resources on the web to check IP info such as whoer.net or freegeoip.net.

CLEAN IP vs TOR IP

My IP address91.109.247.173 formats

Hostnametor-exit2-readme.puckey.org → 91.109.247.173

Mail server epistle.puckey.orgIP range 91.109.246.0 - 91.110.63.255ISP UK2 - LtdOrganization UK2 - Ltd

Black list

Yes

(Illegal 3rd party exploits, including proxies, worms and trojan)

Proxy headers Noports checkTOR YesAnonymizer No

My IP address93.205.98.43 formats

Hostnamep5DCD622B.dip0.t-ipconnect.de → 93.205.98.43

Mail server rx.t-online.deIP range 93.205.98.0 - 93.205.99.255ISP Deutsche Telekom AGOrganization Deutsche Telekom AG

Black listNo

Proxy  headers Noports checkTOR NoAnonymizer No

Tor IP German Telekom DSL

TimeZone Offset

When many conversions show a difference between the TimeZone of the IP-Address / Local Computer Time it can be an indication to fraud.

www.whoer.net/extended

Country

  Germany (DE) more

Continent EuropeRegion BayernCity MunichZIP code N/ALatitude 48.15Longitude 11.5833Map show   Time  zone Europe/Berlinlocal Sun Mar 22 2015 17:03:52 GMT+0100 (CET)system Sun Mar 22 2015 23:03:52 GMT+0700 (KRAT)UTC Sun Mar 22 2015 16:03:52 UTCGMT Sun Mar 22 2015 16:03:52 GMTDST No

IP PATTERNS & DUPLICATES

Lead campaigns should never total more than 3% in duplicate IP’s.

IP patterns are more subtle and result from Modem or 3G resets.

Excel’s Pivot Tables are a great tool in the absence of specialized software.

72.85.110.572.85.110.1572.85.110.12072.85.110. 22

USER AGENT ANALYSIS

Real traffic comes from a balanced mix of browsers and operating systems.

SESSION TIMETime between a click and a conversion (Registration / Install etc.)

- Below-average session times indicate automation/ bots.- Above-average session in combination with a low CR (<0.1%) indicates Cookie Dropping

REFERER URLShows the source the traffic came from

- Does the product match with site ? (e.g. a Healthcare site delivering lots of Game Leads)- Banner Promotions should contain a Referer URL. - Ask your Affiliates why his traffic does not have a Referer

WHAT TO WATCH OUT FOR

High conversion rates at unusual times or extremely high (>30%) or low (<0.1%) conversion rates is always suspicious.

An increase in traffic without prior notice from your business partners should be carefully analyzed.

Affiliates with dubious profiles signing up, generally shortly after some other affiliate just joined is a bad sign.

THANK YOU!

Subtitle• List item• List item• List item• List item Slide has a

CONCLUSION

Sven HezelE-mail: sven@24metrics.comTel: +49 8941613283

QUESTIONS?You can Download this presentation here:http://www.24metrics.com/downloads/