High Risk Threats
The following threats belong to the high risk category.
Trojan (TA)
Trojan Traffic is a high-risk threat detected by identifying devices infected with a Trojan virus. This threat arises when the source is suspected of initiating click spam or view spam attacks. Detection involves pattern analysis of traffic from the source, triangulating it with the source IP and its historical behaviour.
Bot Network (BN)
Bot Network traffic refers to non-human traffic generated by global bot networks designed to mimic users and artificially inflate audience numbers. This high-risk threat is detected by identifying such bot-generated traffic.
Known Attack Sources (KAS)
Known Attack Sources is a high-risk threat detected by identifying traffic from IP addresses with a history of launching attacks on email-related services (POP3, IMAP, SMTP). These IP addresses are flagged due to their past malicious activities.
Empty Referrer (EREF)
Empty Referrer traffic involves web traffic that arrives without a valid or identifiable referrer URL. This is detected by examining the "referrer" header field in HTTP requests, which typically indicates the originating webpage.
Offscreen (OFS)
Offscreen traffic is characterized by ad impressions displayed outside the visible area of a user's device screen. This non-human traffic is detected as it does not represent genuine user engagement.
Fake Crawlers (FC)
Fake Crawlers are bots that masquerade as legitimate crawlers (e.g., Google, Bing) to copy content, increase traffic, and load servers. These bots are detected by their false identification.
Hidden IFrame (HVIF)
Hidden IFrame traffic occurs when pages are loaded within invisible iframes, complete with accurate user and browser attributes, to generate fraudulent ad impressions or clicks without user knowledge.
Data Center (DC)
Data Center traffic originates from servers in data centres or known cloud platforms rather than residential or corporate networks. This high-risk traffic does not involve real human users and is detected by its source.
Fake iPhone (FIPH)
Fake iPhone traffic involves activities originating from devices disguised as iPhones or using spoofed user agents. Detection involves analysing the authenticity of the device and its attributes.
Honey Trap (HI)
Honey Trap traffic involves bots clicking on invisible ads, detected by identifying patterns of non-human engagement with hidden advertisements. These bots attempt to manipulate ad engagement metrics by generating artificial clicks that do not come from real users. Since real users cannot interact with invisible ads, any engagement with such elements indicates bot-driven activity. Detection focuses on identifying these patterns and preventing fraudulent impressions and clicks.
Empty User Agent (EUA)
Empty User Agent traffic involves HTTP requests where the user agent header field is empty, lacking information about the client or browser. The user agent string typically contains details about the device, browser, and operating system. An empty or missing user agent field may indicate an attempt to evade detection, anonymize requests, or perform automated scraping. Detection involves flagging such incomplete or suspicious requests for further analysis.
PhishTraffic (PLT)
PhishTraffic is traffic originating from phishing attacks, detected by analyzing data patterns and anomalies indicative of malicious intent. Phishing attempts often use deceptive websites, emails, or pop-ups to trick users into entering sensitive information. These attacks generate suspicious traffic that deviates from normal browsing behavior. Detection helps identify and block such traffic to protect users and systems from fraud.
Spoofed IP (SIP)
Spoofed IP traffic involves modifying the source IP address field in a packet to disguise the true origin. Attackers use IP spoofing to bypass security measures, mask their location, or impersonate legitimate users. This technique is commonly used in DDoS attacks, botnets, and fraud schemes. Detection involves identifying inconsistencies in IP address information, such as mismatches between network parameters and reported geolocation.
Bad Domains (BD)
Bad Domains refer to websites associated with fraudulent activities. These domains may be involved in scams, phishing, malware distribution, or other deceptive practices. Fraudulent actors often create or use such domains to exploit users, steal information, or generate fake ad impressions. Detection involves identifying traffic from these known malicious domains and blocking interactions with them.
Dolt Bot (DBT)
Dolt Bot traffic involves spoofing the user agent string while keeping the same cookie ID. This method is used to disguise automated activity as legitimate traffic while maintaining session consistency. However, legitimate users typically have more variation in user agent details across different sessions. Detection involves identifying discrepancies between the declared user agent and other session identifiers, helping to flag bot-driven traffic.
IPUA Spam (IPUA)
IPUA Spam refers to repeated interactions from the same origin within a short timeframe. Detection involves monitoring behavioral patterns.
Spoofed Device ID Fraud for CTV (DIF)
Spoofed Device ID Fraud for CTV involves manipulating unique identifiers associated with CTV devices for fraudulent purposes. Detection involves identifying inconsistencies in device ID information.
Spoofed Bundle ID Fraud for CTV (BIF)
Spoofed Bundle ID Fraud involves manipulating the bundle identifier of an app to deceive ad networks and attribution platforms. Detection involves identifying discrepancies in bundle ID information.
Spoofed CTV Store URL (SSU)
Spoofed CTV Store URL refers to fraudulent URLs designed to mislead users about the legitimacy of CTV apps or content. Detection involves identifying inconsistencies in store URL information.
Store URL Missing for CTV (MSU)
Store URL Missing refers to the absence of a URL for a specific app store or online store in an advertisement. Detection involves flagging such missing URL information.
Non-Existent App for CTV (ANE)
Non-Existent App refers to apps that do not exist or are not available in legitimate app stores. Detection involves identifying traffic promoting such non-existent apps.
Domains without Ads.txt (NAD)
Domains without Ads.txt are websites that lack a specific file used for transparency in digital advertising. Identification involves recognizing such domains.
Error Domains (ERD)
Error Domains refer to categories of errors within a system that can lead to fraudulent activities. Detection involves identifying patterns of errors that may indicate fraud.
Injected Traffic (IJT)
Injected Traffic involves artificially generated or injected traffic to deceive or defraud. Fraudsters use various techniques to generate fake traffic, including automated scripts, malware, or hijacked browser sessions. This type of traffic can distort analytics, inflate ad impressions, and mislead advertisers. Detection involves identifying traffic manipulation patterns and filtering out non-genuine interactions.
Fake Declared UA (FUA)
Fake Declared UA refers to misleading user agent details. Identification involves recognizing inconsistencies in the provided information.
Manipulated Device Cores (TMC)
Manipulated Device Cores involve falsifying information about the number of CPU cores in a device. Some fraudulent activities involve modifying system attributes to disguise virtual machines, emulators, or low-resource environments as high-performance devices. Detection focuses on identifying discrepancies in reported and actual hardware specifications.
Accidental Clicks (ADC)
Accidental Clicks involve unintentional clicks on advertisements. Detection involves analysing patterns of accidental user behaviour.
Sub-categories
- Publishers clicking on their own ads
- Repeated ad clicks by users
- Publishers encouraging ad clicks
- Hidden or intrusive ads causing clicks
- Automated clicks by bots or click farms
Manipulated Device Memory (ITMM)
Manipulated Device Memory involves falsifying information about device memory. Detection involves identifying discrepancies in memory data.
Bot Farms (FRM)
Bot Farms refer to organized networks of bots used for fraudulent activities. Detection involves identifying patterns of coordinated bot activity.
Timezone Spoof (TZS)
Timezone Spoof occurs when there are inconsistencies in the reported timezone of a device. This is flagged when the system detects unusual timezone-related discrepancies.
Hidden IFrame (HVIF)
Hidden IFrame refers to ad placements that are present but not visibly accessible to users. Such instances are flagged to ensure transparency in ad visibility.
Active, Non-Readable (ANR)
Active, Non-Readable traffic includes impressions that are technically active but not actually visible to users. These are monitored and flagged to maintain ad engagement accuracy.
Invisible (IVSP)
Invisible traffic involves sources generating traffic from invisible frames. Detection involves identifying such hidden elements.
Invisible Chrome (IVSP1)
Invisible Chrome involves manipulating the Chrome browser to generate invisible ad impressions. Detection involves identifying such manipulation.
Invisible Edge (IVSP2)
Invisible Edge involves sources generating traffic from invisible frames in the Edge browser. Detection involves identifying such hidden elements.
Invisible Chrome Mobile (IVSP4)
Invisible Chrome Mobile involves manipulating the Chrome mobile browser to generate invisible ad impressions. Detection involves identifying such manipulation on mobile devices.
Invisible Samsung Browser (IVSP5)
Invisible Samsung Browser involves manipulating the Samsung Internet browser to generate invisible ad impressions. Detection involves identifying such manipulation.
In Page Invisible (IVSP6)
In Page Invisible refers to ad impressions that exist within a webpage but remain unseen by users. Such cases are flagged to ensure transparency in content display.
Out of View (OOV)
Out of View traffic originates from elements that are placed outside the visible screen area. These are flagged to ensure only genuine interactions are recorded.
Hidden (HID)
Hidden traffic refers to events triggered by elements that are not visibly present on the screen. Such instances are flagged.
Affiliate ID Switch Fraud (ASF)
This fraud pattern involves an affiliate starting the session with one affiliate ID on the home page but changing it to another ID before the transaction on the "Buy Now" page. This behaviour typically indicates deliberate ID manipulation to divert attribution or commission away from the original source.
Affiliate Hijacking Trap (AHT)
Detects whether any browser extension hijacks or injects its own affiliate code into a marketplace to defraud brands.
Crawler Bot (CB)
Crawler Bot traffic comes from automated systems designed to mimic user behaviour. These are monitored to distinguish between real users and automated interactions.
Too Many Cores - Safari (ITMC)
Too Many Cores - Safari involves manipulating the reported number of CPU cores in the Safari browser. Detection involves identifying discrepancies in device specifications.
Virtual Machine-Chrome (DVM2)
Virtual Machine-Chrome involves using virtual machines to emulate the Chrome browser for fraudulent ad impressions. Detection involves identifying such virtual environments.
Virtual Machine-Opera (DVM3)
Virtual Machine-Opera involves using virtual machines to emulate the Opera browser for fraudulent ad impressions. Detection involves identifying such virtual environments.
Virtual Machine-Edge (DVM4)
Virtual Machine-Edge involves using virtual machines to emulate the Edge browser for fraudulent ad impressions. Detection involves identifying such virtual environments.
Virtual Machine-Desktop (DVM5)
Virtual Machine-Desktop involves using virtual machines to emulate desktop operating systems for fraudulent ad impressions. Detection involves identifying such virtual environments.
Virtual Machine-Mobile (DVM6)
Virtual Machine-Mobile involves using virtual machines to emulate mobile operating systems for fraudulent ad impressions. Detection involves identifying such virtual environments.
Click Farm (CF)
Click Farm activity involves large-scale, coordinated interactions that artificially boost engagement. These patterns are monitored and flagged accordingly.
Invisible Screen (IVSC)
Invisible Screen refers to interactions where content is loaded, but not actually displayed to users. These instances are flagged to maintain transparency.
Headless Browser (HBAV)
Headless Browser interactions occur through browsers without a visible interface. These are monitored to differentiate between automated and real user activities.
IFrame (AVIF)
IFrame refers to content embedded from external sources within a webpage. These are assessed to distinguish between normal and suspicious behavior.
Popup (POPPS)
Popup refers to content appearing in separate or partially visible windows. These interactions are reviewed to ensure compliance with expected behaviour.
Spoofed Mobile App Store URL (ASSU)
Spoofed Mobile App Store URL refers to cases where app store links do not match expected sources. Such inconsistencies are flagged.
Referrer Mismatch (REMM)
Referrer Mismatch occurs when there are inconsistencies in the source information. These instances are flagged.
Tampered IP Address (TIPA)
Tampered IP Address refers to instances where the provided network information does not align with expected parameters. These are flagged for validation.
URL Parameter Spoofing (UPS)
This threat is identified when an affiliate appears to navigate from the home page through the normal purchase journey, but the URL parameters across steps do not match the original set from the home page. This suggests tampering or spoofing of parameters during the session to misattribute the source.
Invalid Viewport (IVV)
Invalid Viewport refers to irregular display settings that do not align with expected parameters. These are flagged for further assessment.
Masked IP (MSKIP)
Masked IP refers to discrepancies between reported and actual network details. These are flagged to ensure transparency in connection sources.
OffScreen (OFS)
OffScreen interactions occur when content is loaded outside the visible screen area. Such instances are flagged to ensure authenticity in engagement.
Non-Routable IPs (NRIP)
Non-Routable IPs involve traffic from IP addresses that cannot be reached through standard routing. Detection involves identifying such invalid IP addresses.
Invalid Top Level Domain (IVTLD)
Invalid Top Level Domain involves referrer or domain names with invalid TLDs. Detection involves identifying such invalid domain names.
Cookie Cutter (CUTT)
This trap is designed to flag instances where a single domain generates more than 10 subdomains, as observed in the purl/referer across any digital engagement platform, suggesting a mechanism potentially used to fabricate traffic.
Direct Buy Page Injection (DBPI)
This threat occurs when an affiliate redirects users directly to the "Buy Now" page without having an initial journey of buying the product, appending their affiliate ID to hijack organic users. Such behaviour indicates intentional manipulation to falsely attribute the sale to the affiliate.
Fingerprint Alert: Diverse IPs (SFM)
This trap is triggered when the same device identifier interacts from different IPs. It helps in identifying unusual activity patterns within a 24-hour period.
Fingerprint Blitz (HF5R)
This trap is triggered when a device identifier is accessed multiple times in a very short span. It helps in detecting unusually high interaction frequencies.
Multi-Fingerprint IP Alert (SIM)
This alert is triggered when multiple unique device identifiers are observed from the same IP. It helps in detecting patterns of unusual activity within 24 hours.
Multi-UA Identity Alert (SFMU)
This trap is triggered when different user agents are associated with the same device identifier. It helps in detecting inconsistencies in user behavior within a 24-hour period.
Device Identity Integrity Monitor (SID)
This trap is triggered when the same device identifier and IP appear with different user agents. It helps in detecting potential anomalies over a 24-hour window.
Geo-Fingerprint Risk Alert (SXY5)
This trap is triggered when repeated interactions originate from the same device identifier and location. It helps in identifying potential risk patterns within a 5-hour period.
Adult Traffic (ADT)
Adult Traffic involves traffic from adult sources. Detection involves identifying such sources.
Gambling Traffic (BSGAM)
Gambling Traffic involves traffic from gambling sources. Detection involves identifying such sources.
Online Piracy (BSOP)
Online Piracy involves traffic from pirated sources. Detection involves identifying such sources.
Terrorism (BSTRR)
Terrorism involves traffic from terror-related sources. Detection involves identifying such sources.
Arms and Ammunition (BSAAA)
Arms and Ammunition involves traffic from arms and ammunition sources. Detection involves identifying such sources.
Societal Crimes (BSSC)
Societal Crimes involves traffic related to crime and harmful acts. Detection involves identifying such sources.
Combat Fatalities (BSCF)
Combat Fatalities involves traffic from death, injury, or military conflict sources. Detection involves identifying such sources.
Malicious Spam (BSMS)
Malicious Spam involves traffic from spam or harmful content. Detection involves identifying such sources.
Obscene Profanity (BSOBP)
Obscene Profanity involves traffic from sources with obscenity and profanity. Detection involves identifying such sources.
Regulated Items (BSRI)
Regulated Items involves traffic from activities involving illegal drugs, tobacco, e-cigarettes, and alcohol. Detection involves identifying such sources.
Sensitive Topics (BSST)
Sensitive Topics involves traffic from sources involving debated sensitive social issues. Detection involves identifying such sources.
Intolerant Behaviour (BSIB)
Intolerant Behaviour involves traffic from sources involving hate speech and aggression. Detection involves identifying such sources.
Gibberish (GIBB)
Flagged when a Bid URL contains excessive random text, making it difficult to identify its original source. Such URLs are considered high risk due to their lack of transparency.
Overflow Domain (OFDO)
Flagged when a Bid URL is unusually long, which may indicate abnormal behavior or inconsistencies.
Host Exclusion (LOCH)
Flagged when traffic originates from restricted or excluded host environments.
Sandbox Environment (SBOX)
Flagged when an impression is rendered in an environment that limits external tracking or operates under restricted conditions.
Duplicate Click ID (DCID)
Flagged when multiple instances of traffic share the same Click ID, indicating potential inconsistencies or anomalies.
Mouse Movement Penalties (MMV) (New)
This trap flags uninterrupted mouse movements without pauses or randomness. In natural user behavior, mouse movements tend to have minor variations, pauses, and irregular patterns. Consistently smooth or automated movements suggest scripted interactions, bot activity, or emulated user actions. Detection involves analyzing movement data to distinguish real users from automated scripts.
This trap flags multiple sequential clicks occurring without cursor displacement. In normal usage, users typically move the cursor between clicks, even slightly. If clicks are detected in rapid succession at the exact same location, it may indicate automation, bot-generated traffic, or fraudulent user engagement. Detection helps prevent click fraud and non-human interactions.
Consistent Mouse Speed (CMS) (New)
This trap flags instances of sustained, uniform cursor speed across multiple interactions. Real users exhibit variations in mouse movement speed, while automated scripts or bots often maintain a steady, unnatural pace. Identifying and flagging such behavior helps prevent fraudulent activities that attempt to simulate real user interactions.
This trap flags instances where click timing remains unnaturally uniform. Human interactions typically have some level of randomness in click timing. When clicks occur at perfectly spaced intervals, it suggests automation or bot activity. Detection focuses on recognizing these patterns and preventing artificially generated clicks.
This trap flags instances where a significant portion of clicks occur at the same location. Natural users tend to click in varied areas of a page or interface, whereas bots or fraudulent scripts may repeatedly click in a single spot to manipulate engagement metrics. Detection helps identify and mitigate click fraud.
This trap flags instances of multiple consecutive actions performed without corresponding mouse activity. Typically, users navigate interfaces by moving the mouse or touch input before interacting. When interactions occur without any movement, it may indicate automation, macros, or non-human interactions. Detection prevents fraudulent engagement patterns.
This trap triggers when a click is detected while the page is not visible. Fraudulent scripts and hidden ad interactions can trigger clicks even when the user isn’t actively viewing the page. Detection focuses on ensuring that interactions occur within visible, user-accessible elements, reducing fraudulent ad clicks and engagement.
This detection method identifies IP addresses associated with hosting servers rather than end-user devices. Hosting IPs are often used by bots, proxies, and automated services, rather than legitimate human users. Detection helps differentiate between genuine traffic and automated interactions from data centers or server farms.
A parked domain is a registered domain that isn't actively used for a website but may display ads, a placeholder, or redirect to another site. These domains are sometimes exploited for fraudulent activities, phishing attempts, or domain squatting. Detection helps prevent engagement with such inactive or suspicious domains.
This trap flags devices marked as physical but exhibiting signs of emulation or resource limitations. Emulated environments often mimic real devices but fail to replicate key behavioral metrics, such as hardware capabilities and device-specific attributes. Detection helps identify fraudulent activities originating from virtualized or spoofed environments.
This trap flags detection requests as suspicious if triggered with the screen off or the app running in the background. Advertisers expect user engagement with visible ads, but fraudulent schemes may load ads in hidden views to inflate impressions. Detection prevents counting such non-visible interactions as legitimate ad views.
This trap flags if the battery is removed or absent. Devices normally report battery status as part of system telemetry. The absence of this data suggests the use of virtual machines, server-based environments, or automated systems simulating user activity. Detection helps differentiate genuine devices from emulated ones.
The system cross-checks GPS data with network IP geolocation and detects impossible travel speeds between reported locations. If a device appears to move across vast distances in an unrealistically short period, it suggests location spoofing or manipulation. Detection prevents fraudulent geolocation data from affecting tracking systems.
The system tracks ad refresh rates and identifies apps with unusually high ad request frequencies. Normal user behavior results in ad requests at expected intervals, but fraudulent applications may excessively refresh ads to artificially boost impressions and revenue. Detection ensures fair advertising practices by flagging such excessive refresh activity.
This trap detects devices with identical fingerprints and monitors bulk installs from single IP ranges. Fraudulent practices involve mass installations of apps from controlled environments to manipulate rankings and advertising metrics. Detection helps prevent fake installs and ensures app distribution data remains accurate.
This trap flags traffic received from a device with no SDK installed. For certain tracking and security measures, applications rely on SDKs to verify device integrity. Traffic from devices missing the expected SDKs may indicate tampering, automation, or fraud attempts. Detection ensures authenticity in reported device activity.
This trap flags traffic received from a device with no active screen. In real user behavior, interactions occur while the screen is active. If traffic is detected when the screen is off, it suggests automated processes, background activity, or fraudulent interactions. Detection helps prevent misleading engagement metrics.
This trap flags traffic received from a device with no active user session. Sessions are expected to be tied to real user activity, and traffic generated without an associated session may indicate automation, bot activity, or fraudulent engagements. Detection ensures interactions align with expected user behavior.
This trap flags cases where the UUID (unique user identifier) changes more than five times with the same serial number. Such inconsistencies suggest an emulator or bot farm attempting to cycle through multiple identities to bypass detection. Monitoring UUID stability helps identify and mitigate fraudulent activities.
This trap flags instances of high IP change frequency, Frequent IP cycling is often used to bypass tracking, avoid detection, or manipulate geo-based restrictions. Detection prevents fraudulent activities that rely on rapid IP switching to simulate diverse user interactions.
If the same IP is linked to multiple user agents within a short time, it gets flagged. This behaviour is commonly associated with automation tools, shared proxies, or malicious actors attempting to mask their identity. The system detects and flags such instances to prevent potential fraudulent or suspicious activities.
Medium Risk Threats
The following threats belong to the medium risk category.
Invalid Port (IPT)
Invalid Port traffic involves incoming traffic from ports not typically used for advertising transactions. Most advertising-related traffic follows predefined network ports, and any deviation from this norm may indicate unauthorized or suspicious activity. Detection focuses on identifying and flagging such anomalies to prevent fraudulent access and maintain network security.
Notorious Domains (NDL)
Notorious Domains refer to domains with a history of generating high invalid traffic. These domains are often associated with fraudulent activities such as bot-driven clicks, ad manipulation, or deceptive content. Detection relies on analyzing historical data to flag and block such domains, preventing potential ad fraud.
Majestic Domains (MD)
Majestic Domains involve traffic originating from domains that are categorized as high-risk or suspicious. These domains may be flagged based on previous patterns of non-compliant behavior, security vulnerabilities, or fraudulent activity. Detection involves identifying and blocking traffic from such domains to maintain integrity.
Click Spam 30 (CS30)
Click Spam 30 involves the detection of click spamming activity with a severity rating of 30%. Click spam occurs when excessive or artificial clicks are generated, often by bots or automated scripts, to inflate engagement metrics. The system monitors and flags such traffic to ensure fair and accurate advertising performance.
Click Spam HR (CS60)
Click Spam HR represents a higher level of click spamming activity, with a severity rating of 60%. A higher severity score indicates more aggressive fraudulent behavior, often aimed at distorting campaign data or extracting financial gains through illegitimate clicks. Detection focuses on identifying and mitigating such high-risk activities.
Pop under (POPUD)
Pop-under ads open beneath the active browser window, making them less intrusive but still capable of driving engagement. While some legitimate advertising campaigns use pop-unders, they are also associated with deceptive or spammy ad practices. Detection focuses on identifying and flagging traffic from sources relying heavily on such advertising methods.
Background (BGV)
Background traffic originates from hidden frames, embedded scripts, or invisible elements on a webpage. This type of traffic can be used to manipulate impressions, clicks, or ad interactions without user awareness. Detection involves analyzing page behavior to identify and flag such suspicious activity.
Full Screen Inactive (FSAS)
Full Screen Inactive traffic is generated when users remain inactive while a full-screen ad or webpage is displayed. This behavior may indicate automated processes, non-human traffic, or deceptive engagement tactics. The system detects and flags such instances to maintain authentic user interactions.
Http only Traffic (HTON)
This trap is triggered if the bid URL is not secure and uses an HTTP schema instead of HTTPS. Secure protocols (HTTPS) are essential for protecting user data and preventing attacks like man-in-the-middle interception. Detection involves monitoring for non-secure connections and flagging them for potential security risks.
Length of Hostname (LOLE)
If the hostname is unusually long, it gets flagged. Excessively long hostnames can be indicative of suspicious activity, such as obfuscated command-and-control (C2) servers, malware-generated domains, or DNS tunnelling techniques used for covert communication.
Prefix in Hostname (HPRF)
If a hostname is too long or doesn't follow the expected pattern, it gets flagged. Certain naming conventions are expected in legitimate domain structures, and deviations from these patterns may suggest suspicious or automated behavior, such as mass-generated subdomains for malicious campaigns.
IP Domain (IPD)
This detection method identifies domain names that contain an IP address instead of a traditional domain name. Domains structured with IP addresses are often associated with phishing, malware distribution, or other deceptive practices. The system flags such domains to prevent exposure to harmful content.
No Sellers (NOSLR) (New)
This trap is triggered when the sellers.json file is missing. The sellers.json file is a transparency standard used in programmatic advertising to verify the legitimacy of sellers. If this file is absent, it raises concerns about the authenticity of the traffic source, prompting a flag for further investigation.
Ad Click Spam (ACS) (New)
If a user's request rate is too high, it gets flagged. Excessive request activity can indicate automated scripts attempting to manipulate advertising metrics, generate fraudulent clicks, or artificially inflate engagement numbers. The system detects and prevents such fraudulent activities to protect ad integrity.
Ad Hijacking (ADHJ) (New)
The system monitors unusual network activity and tracks battery and data usage anomalies. Ad hijacking involves malicious software that redirects users to unintended ads, leading to revenue fraud and user exploitation. The system detects patterns indicative of unauthorized ad placements or hidden redirects.
Device Stationary (SDEV) (New)
This trap flags traffic from devices without the required software. Certain applications require specific software or hardware configurations for authentication. When traffic originates from devices that fail to meet these requirements, it may indicate an emulator, virtual machine, or other forms of manipulation.
Device Battery Removed (NBAT) (New)
This trap flags traffic received from a device that does not report battery status. Normally, devices provide battery-related telemetry as part of their system data. The absence of this information may indicate the use of virtual machines, server-based automation, or emulated environments designed to mimic real user behavior. Such anomalies are often linked to fraudulent activities, automated scripts, or bot-driven traffic. Detection focuses on identifying and flagging these inconsistencies to ensure the authenticity of device interactions.
VPN Based Emulation (EIPM) (New)
Frequent IP changes over a short period get flagged. VPN-based emulation allows users to cycle through multiple IPs rapidly, often to bypass geo-restrictions, automate fraudulent activities, or obscure their real location. The system detects such behaviour to prevent unauthorized access or abuse.
DNS Failure (DNSF) (New)
DNSF Failure occurs when a domain name can't be resolved, preventing access to a website or service. This can indicate misconfigured DNS settings, expired domains, or domains taken down due to malicious activities. Monitoring DNS failures helps in detecting potential security threats and connectivity issues.
Redirection Domain (REDD) (New)
A redirection domain is a domain that automatically forwards visitors to another domain or URL. When users attempt to access a redirected domain, they are immediately redirected to the target website. All such instances are flagged.
Low Risk Threats
The following threats belong to the low risk category.
Spam Network (SN)
A Spam Network involves rotating IPs that refresh every seven days, generating fraudulent ad activities. These networks are often used to manipulate ad impressions, clicks, and engagements to deceive advertisers and platforms. Detection focuses on identifying such IP patterns and preventing abuse by flagging suspicious traffic sources.
Tor Exit Node (TEN)
Tor Exit Nodes are associated with proxy traffic from the TOR network, which can be used to mask real user identities. While TOR serves privacy-conscious users, it is also frequently exploited for spam, fraud, and malicious activities. Detection involves identifying traffic from these sources and assessing its legitimacy.
Good Bot (GB)
Good Bot traffic comes from verified, legitimate sources such as search engine crawlers (e.g., Googlebot, Bingbot) and other recognized services. Unlike malicious bots, these entities serve useful purposes like indexing web pages. Detection focuses on differentiating good bots from harmful automated traffic.
Zombie (ZM)
A Zombie refers to a compromised device that is controlled remotely, typically as part of a botnet, to perform fraudulent activities. These devices can be used for click fraud, spamming, or launching cyberattacks. Detection involves identifying unusual traffic patterns and sources linked to compromised networks.
Proxy Servers (PS)
Proxy Servers act as intermediaries between a user and the internet, often used for anonymity, content filtering, or bypassing geo-restrictions. While proxies have legitimate uses, they can also facilitate fraudulent activities and traffic manipulation. Detection focuses on identifying and analyzing such traffic sources.
Mail Servers (MS)
Mail Servers handle email communication for domains, sending and receiving messages. Identifying mail server traffic is essential for detecting potential spam campaigns, phishing attempts, or unauthorized email transmissions. Detection involves analyzing network patterns associated with email activity.
Web Servers (WS)
Web Servers host and serve web content, handling user requests for websites, applications, and services. While they form the backbone of internet infrastructure, certain web servers may be exploited for malicious purposes. Detection involves monitoring traffic from these sources to prevent abuse.
No Server (NS)
No Server refers to ad impressions that occur without an associated server, which is an anomaly that may indicate fraudulent activity. Such instances could be linked to bot-driven impressions, invalid traffic, or manipulated ad rendering. Detection focuses on flagging these anomalies to maintain ad integrity.
Nomail Domain (NMD)
Nomail Domains are domains where no email activity should originate, yet they may be misused for spam, phishing, or impersonation attacks. Detection involves identifying email traffic from such domains to prevent fraudulent communication and safeguard email security.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) masks a user’s real IP address by routing traffic through a remote server. While VPNs enhance privacy, they are also used to bypass security checks, perform fraudulent activities, or manipulate geo-location settings. Detection involves identifying VPN-based traffic while blocking data center IPs commonly associated with such services.
Fast Clicker (FCL)
Fast Clicker refers to rapid clicks with extremely low request-to-click time differences, which may indicate automation or fraudulent user behavior. These patterns are commonly associated with bot-driven click farms or ad fraud schemes. Detection involves identifying and analyzing such irregular click patterns.
PopAsPush (PAP)
PopAsPush refers to ad sources delivering pop-up or in-page push traffic, which can sometimes be misleading or intrusive. Some advertising methods use deceptive pop-up ads to increase engagement artificially. Detection involves identifying these ad formats to ensure compliance with ad quality standards.
AdBlocker (ADB)
A user is flagged if they have an AdBlocker enabled or if an ad fails to render as expected. Ad blockers prevent ads from displaying, impacting ad revenue and analytics tracking. Detection involves monitoring whether ads are successfully loaded and rendered in the user's environment.
Domain Age 30 (DA30) (New)
Recently created domains are flagged. Domains less than 30 days old are often linked to malicious activities such as phishing, scam websites, or temporary attack infrastructures. Monitoring domain age helps in identifying and blocking high-risk domains before they can cause harm.
Frequent IP changes in a short time get flagged. This pattern suggests the use of anonymisation techniques, such as rotating proxies or VPNs, to mask true user identity. Such behaviour is often associated with fraud attempts, account takeovers, and bot-driven activities.