“Just stealing some clicks from an unsuspecting advertiser!”
Clickspam is just the latest evolution of one of world’s oldest sins.
Since man first learned to trade, he has lied to and defrauded his fellow.
In ancient Mesopotamia, the birthplace of writing, traders would record their contracts on clay tablets using a complicated writing system called cuneiform. Even back in 3,000 BC, fraud was so rife that contract tablets had to be encased in clay and sealed using the individual seal of all concerned parties.
This way, fraudsters couldn’t change the contract after the agreement was made. If a dispute arose or one party tried to cheat the other, the tablet would be broken open in front of witnesses and read aloud.
The punishment for fraud in ancient Mesopotamia was somewhat more severe than today, yet it occurred nonetheless.
So, unfortunately, these unsavory characters have been with us for quite some time. With the advent of the internet, the scourge of swindlers and scammers seems to have only gotten worse.
And legal recourse becomes all the more difficult when the swindler and his victim are in different nations with wholly different laws.
In this way, the internet has proven a boon for criminals. And naturally, they weren’t content to leave the online advertising world alone.
Especially when digital ad revenue now exceeds 100 billion dollars per year in the United States alone, according to the IAB.
Advertising fraud is not uncommon. At all.
In fact, it is only becoming more common. According to “The Economic Cost of Bad Actors on the Internet, Ad Fraud 2019” by internet security firm Cheq, online ad fraud is expected to cost the industry 23 billion dollars in 2019.
That’s right, 23 Billion dollars.
To help you visualize that, the tallest building in the world, the Burj Khalifa in Abu Dhabi, cost a measly 1.5 billion dollars.
As you can see, the industry loses an insane amount of money to fraud.
15 Burj Khalifas’ worth of money, to be exact.
And because the industry is so large and the amount of money sloshing around is so high, scammers have invented a variety of ever-changing ways to siphon a little bit of money out of the ecosystem.
One of the latest and most widespread is Clickspamming.
In this article, we’re going to look at exactly what it is – specifically in the context of mobile advertising.
So what is clickspamming
In its most general form, clickspamming when a publisher (generally an app) claims ad clicks without the knowledge of the actual device user.
On mobile, fraudsters do this in the hopes that the user will organically install an application later. If this happens, the fraudster can then claim a conversion on CPI. The user himself, though, not only didn’t interact with an advertisement, he didn’t even see one.
He was an organic acquisition that the fraudster is unjustly claiming to be a result of a (nonexistent) ad.
How it works
Clickspam originates in certain malicious mobile applications created by unscrupulous owners that want to make easy money.
These apps generally masquerade as a free utility or game, but in the background, they’re sending fake clicks. They send fraudulent on a wide variety of mobile ads in the hopes that the user will organically download and install an application for which it had reported an ad click.
These applications are either spamming clicks while the app itself is open or spamming in the background. Apps that run in the background are naturally more ideal for clickspamming.
This is because then they can click away whenever the phone is on, significantly increasing the potential to capture an organic installation.
The advertiser would then consider this click as having converted and the fraudster would receive a payment
So how do we stop it? Well, before we can stop it, we have to identify it.
CTIT
One of the critical metrics that allow for the identification of mobile Clickspam is CTIT, or Click To Install Time.
This measurement is essentially the conversion time, but for mobile. It’s the duration between the converting click and the actual installation of the application.
There are a few things that typically occur between clicking on an ad and the final installation.
When some clicks, the ad immediately redirects them to the app store. Here they might read the app description, look at the rating, and read various comments that previous users have left.
Then, upon deciding that the app looks like something they’re interested in, they hit install.
Now, the closing parameter of CTIT is not when they hit install, but rather when the installation is complete. So the download time will be included in the total CTIT, and a larger application will ipso facto have a longer CTIT.
These naturally longer CTITs are especially common in regions with lower mobile connection speeds.
The primary use of Click To Install Time is as a means of detecting fraud of several types. Namely Clickspam and Click I
So how exactly is CTIT used in fraud detection and prevention?
Identifying Clickspam
With Clickspam, the fraudulent publisher has a tiny, almost entirely random chance of capturing an organic install after reporting a click from the user.
This random chance of conversion capture means two things. First of
Since the user isn’t actually seeing an ad and isn’t clicking on it (whereupon he’d be taken directly to the app store to begin the download), the time between click and install can be very long.
Clickspam conversion CTIT also tends to form an even distribution when charted.
This constancy is the second way the CTIT is used to find clickspammers.
While a long CTIT in and of itself might be a bit suspicious, an even distribution of CTITs over time is an even more significant indicator Clickspam.
Normal CTIT distributions show around 70% of mobile app installs occurring within the first hour. The remaining 30% trickle off over the remaining 23 hours of the day.
Because Clickspam is based on random chance rather than on meaningful interaction with a user, its CTIT distribution is very flat. It’s as likely to “convert” in the 1st hour as it is in the 22nd.
By charting CTIT, it is relatively simple to identify clickspamming publishers. This kind of distribution is extremely unlikely to occur naturally, statistically speaking. In comparison to CTIT distributions from more honest publishers, clickspammers stand out.
Detection via conversion rate
Clickspamming depends on just that, spamming. This means that the volume of clicks is going to be very high, but since conversion depends on a small random chance, the number of conversions is going to very low.
So the conversion rate or CR, (conversions/clicks) x 100, is going to be extremely low for any subID that is sending you Clickspam.
Between evenly distributed but long-on-average CTIT and very, very low CR, we can identify Clickspam soon after collecting sufficient data.
But data sufficiency is paramount. If we only have a few data points, then we cannot judge if a CR is abnormally high or low, or if CTIT is unusually long.
Stopping Clickspam
Once we have identified a clickspamming subID, its IP address can be blacklisted. By banning the bad actor’s IP address, he is effectively cut out of the loop.
Generally, it is subIDs rather than entire publishers that get banned. This is because Clickspam fraud exists on practically every Ad Network and SSP. So, banning the whole network because some subIDs are fraudsters is a quick way to lose all your publishers.
By blacklisting on the subID level, we can keep the legitimate subIDs and cut out the bad.
Dealing with Clickspam as quickly as possible is particularly important for a couple of reasons. Beyond just saving you money, stopping clickspam also protects your data.
Why Clickspam is particularly damaging
There are several reasons that Clickspam is a particularly nefarious form of fraud.
For one thing, since the installs are organic, there is a high(er) likelihood that these individuals will become engaged users.
This apparent higher-than-average engagement could lead to advertisers placing more money on the Clickspam subIDs – inadvertently rewarding the publisher for conning them.
Another problem that arises with Clickspam is that it not only gives you fraudulent clicks, but also claims organic installs. This can have a seriously deleterious effect on your evaluation of organics.
Since Clickspam reduces the number of apparent organic installs, an advertiser will underestimate the effect of his branding campaigns and App Store Optimization.
Under the impression that these campaigns are not going as well as they actually are, an advertiser might make unfortunate decisions based on bad data.
Stopping Clickspam traffic both prevents you from paying fraudsters for your work and it protects your ability to analyze other aspects of your marketing.
But wait there’s more!
But C
Clickspam depends on a publisher sending out as many fraudulent clicks from as many users as possible in the hopes that he’ll capture an organic install. Click Injection does something else entirely.
With Click Injection, the fraudster waits until a user organically installs an application and then claims it.
How is that possible?
Well, on modern, up-to-date devices it’s usually not. But on older devices, especially older Android devices, it is.
Click Injection works like this:
The unsuspecting user installs an app from the app store. Upon pressing install, an already installed malicious app recognizes that one will soon begin downloading and immediately reports a click.
Naturally, since the user has already pressed the install button, it appears as a conversion shortly after.
We can identify click injection with statistics in two ways. Again, by looking at CR and CTIT.
Whereas the CR of a clickspammer is going to be extremely low, the CR of someone using Click Injection is going to be extremely high.
Likewise, while Clickspam results in abnormally long CTIT, Click Injection generally shows an improbably short CTIT.
Again, this is because Clickspam has a low, almost random chance of capturing an organic install. Click Injection, on the other hand, doesn’t fire until it already has an install to claim.
Click Injection can also result in the theft of conversions from real ad campaigns. If, for example, a user clicked on one of your legitimate ads with a different publisher, and he went on to install an hour later, this should be a conversion for said publisher.
But instead, the Click Injector steals the conversion, telling the advertiser that his ad was the last one that the user clicked on before downloading.
While Google has closed the most significant Click Injection exploits on Android, the problem has not gone away entirely.
How Mobinner protects you
Here at Mobinner, we take fraud protection extremely seriously.
For us, it is a matter of both reputation and customer service. To this end, we have endeavored to integrate state-of-the-art fraud protection into our platform to help our clients avoid Click Spam and Click Injection.
How’s this work?
We do this primarily by looking at the two metrics discussed above, Conversion Rate and Click To Install Time.
In our DSP dashboard, Advertisers can specify the parameters that they find acceptable. That means you’re able to set a minimum and maximum range for both CR and CTIT. By excluding long CTIT and extremely low CR, you cut off most Clikspam traffic.
Likewise, by setting a maximum CR and a minimum CTIT, you can significantly reduce Click Injection fraud.
This traffic and fraud are stopped through the blacklisting of specific publisher subIDs (specific sites, apps, etc.) that are statistically outside of your acceptable parameters.
A minimum number of conversions required is set before these limits take effect and start blocking subIDs. This way statistically sounds decisions can be be made regarding saidIDs.
In the beginning, good traffic can exist outside of the acceptable parameters, because it is still statistically insignificant and no real judgement can be made of its quality.
Last, but not least, we have a built-in post-bid anti-fraud system that prevents conversion confirmation postback to detected fraudsters.
At Mobinner, we’ve got your back when it comes to taking on mobile advertising fraud.
Conclusion
Fraud is a vast, ever-changing problem in the Online Advertising world. Because of this, the entire industry needs to be continually adapting to new threats as they arise.
Of these threats, Clickspam and (to a lesser extent) Click Insertion, are among the more prevalent. By understanding how this type of fraud works and how it manifests in statistics, we can ward it off.
Likewise working with a DSP that uses a high-quality fraud protection service, as Mobinner does, is a crucial step that advertisers can take to protect themselves from fraud.
Quick Recap
Clickspam is the mass fraudulent reporting of ad
Click Injection is when a a fraudster’s mobile application waits for the install button to be pressed at the app store. After the button is pressed, the malicious app hijacks the click and claims it as a successful conversion.
By looking at CR (Conversion Rate) and CTIT (Click To Install Time), we can determine which subIDs are likely to be sending us Clickspam or trying to hijack other clicks. After recognizing these sources, we can blacklist their subID IP addresses.
Remember:
Clickspam can be identified by very low CR and long CTIT. It also results in an even conversion CTIT distribution (whereas 70% of installs generally occur in the first hour with real ad engagement).
Click Insertion results in extremely high CR and almost impossibly low CTITs.
Mobinner is a High-Performance Demand-Side Platform that takes your security seriously. We work hard to grow your business and increase engagement, all the while protecting you from fraud.