1

I would like to know why fraudsters would use old User-agents (with old browsers versions) to make conversions for PPL (Pay-Per-Lead) or PPS (Pay-Per-Sales) offers in affiliate marketing?

It seems like it's a tendency now and I'm not sure why they wouldn't just go with more recent browsers versions.

guntbert
  • 1,825
  • 2
  • 18
  • 21
ffspider
  • 11
  • 2
  • 2
    I don't know what PPL or PPS are, but is it possible that the offers are automated and (like all software development) once it works, they just don't update the scripts very often? – Mike Ounsworth Aug 29 '18 at 16:53
  • PPL stands for Pay-Per-Lead and PPS for Pay-Per-Sales. That means that some offers will generate a conversion (meaning $) just for clicking on the advertisement (PPL) or by completing a sale after clicking on the advertisement (PPS). The thing is that the User-agents that I can verify are the ones used by the customer (real or fake) and I see differences or a wide variety of User agents, just for one offer. I even see different versions of the same browser (Firefox 42.0 vs Firefox 59.0 for instance) on the same offer. Basically, each and every conversions will have its own user-agent... – ffspider Aug 29 '18 at 17:03
  • ... Sometimes we will see repetitions, which makes sense especially on more recent browser versions, but I don't see why you would use an older version of a Browser.. Security barriers?? Easier to navigate?? – ffspider Aug 29 '18 at 17:04
  • Now I'm confused what your question is, are you asking why a conversion from a real human user might have multiple useragents attached to it, or why conversions generated by fraudsters would use old useragents (as the title suggests) ? – Mike Ounsworth Aug 29 '18 at 17:09
  • Yes.... I should have precised my point: "why conversions generated by fraudsters would use old useragents (as the title suggests)".... is really what I'm looking for.... – ffspider Aug 29 '18 at 17:15
  • My guess is that these are not actually coming from real browsers, but from some sort of automated web crawler that doesn't get updated very often. Remember that if you're writing your own program, then useragent is just a string and you can set it to whatever you want. That would also explain seeing multiple useragents in the same conversion if different parts of the web crawler are hard-coded to send different useragents. – Mike Ounsworth Aug 29 '18 at 17:48
  • Definitely makes sense... especially in my field. Thanx a lot for the quick answers!! – ffspider Aug 29 '18 at 17:52
  • Cool. I'll put that in an Answer then. – Mike Ounsworth Aug 29 '18 at 18:05

3 Answers3

2

My guess is that the traffic you're seeing is not actually coming from real browsers, but from some sort of automated web crawler. Remember that if you're writing your own program, then useragent is just a string and you can set it to whatever you want -- usually whatever's current at the time you write the software. I'm guessing that either the crawlers don't get updated very often, or the developers of the crawlers don't bother updating the useragent strings.

That would also explain seeing multiple useragents in the same conversion if different parts of the web crawler are hard-coded to send different useragents.

I wonder if you could turn this into some way to differentiate real human clicks ...

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
2

Using an old agent can trick some sites into serving a simpler version of the page that's easier to scrape. If the server thinks your browser is too hold to handle ajax, it can inline dynamic content, like it would do for crawler user agents. Thje site might also not present as many styles and behaviors, reducing the page load time.

Granted this practice is by no means universal, but middlemen will take any little edge they can get that doesn't cost money.

dandavis
  • 2,658
  • 10
  • 16
0

It's an attempt to thwart being fingerprinted.

If you see a ton of requests from the same subnet(s) and using the same (or very similar) useragents and the conversions turn out to be fraudulent, you can easily lump similar-looking transactions together and discard them all. "Hey, everything we see from 5.62.160.0/19 and using Chrome is fraudulent. I'm not paying for those."

In this case, the nefarious affiliate's revenue depends on his ability to make the traffic look unique and authentic. They likely grabbed a list of all possible historically-valid useragents and pick one at random per request to try to make his bot traffic appear to be sourced from a number of unique users.

Since he's cycling useragents on each request, it outs him just the same-- no legitimate user's traffic patterns look like that.

If you have a list of IPs, you should get the ASN/ISP data for each of those and refuse to pay for anything coming from a VPS provider-- no DigitalOcean, Linode, OkServers, Choopa, OVH, Hetzner, Amazon, etc. conversions should be trusted.

(Clickfraud is so rampant I honestly don't know why anybody pays to advertise on the internet.)

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • I think I'm missing a link of understanding: I assume the OP is an advertizing agency serving ad content. The "fraudster" in this case is someone or something getting the ads served to them who is not a real human consumer. Your answer assumes that the fraudster's revenue relies on being able to access this ad content without being blocked. The link I'm missing: how is the fraudster generating revenue from this? – Mike Ounsworth Aug 31 '18 at 14:28
  • 1
    I work in a CPA (cost-per-actions) Network. We're the middle man between advertisers and affiliates, and they are the ones who could fraud us (and the advertisers), basically by generating traffic on their website/social media page/ etc. that clics on publicity banners shown on their page. You have to understand that generating false clics/sales could mean a lot of money, and this is why we try to prevent those fake conversions. But fondamentally, we suspect the affiliates to generate fake conversions, and they seem to use a lot of old User agents, which was my initial question. – ffspider Aug 31 '18 at 16:17
  • @MikeOunsworth It doesn't matter if the entity being served the page or ad itself is a human or bot; ad impressions are cheap-- they pay a fraction of a cent per million views. The fraudster in this case runs a website displaying ads for an ad network as an affiliate. He gets paid per ad click, so he sets up a bot to emulate users on various browsers clicking on the ads in an endless loop. It's a money printer- those clicks generate $0.05 to $0.25 each for the fraudster/owner depending on whether he also submits fake contact info, sets up an account or puts random stuff into his shopping cart. – Ivan Aug 31 '18 at 19:11