Symphony, Conducting Fraud on the Opera-Mini Proxy Network

Summary

PureClick uses PureCaptcha to detect mobile fraud on major display network and operating on the Opera-Mini platform.

Description

Subsequent to our initial discovery of the Nokia-browser based Loki click fraud, we began to investigate further into the use of parked domains as a source for click fraud on a major display network. These are sites with no real content and whose likely only dubious commercial value is a conduit for click fraud. The practice of finding something by randomly typing a domain name has long since been supplanted by search engine companies and other more exact methods of reaching desired content.

Our research led us to the discovery of a secondary form of click fraud that uses the Opera Mini browser platform as an alternative to the Nokia devices detected in earlier tests. We are calling this version Symphony.

In method and behavior, Symphony is nearly identical to its cousin Loki. It is operating on parked domains, and traffic originating from those parked domains is 100% fraudulent and being billed by the network. Most of the Symphony publishers are generating the Opera Mini version of this fraud exclusively, but there is some overlap in publishers between Symphony and Loki. Fraudulent traffic from these publishers is consistent in time and user behavior with Loki.

Profiling Symphony Traffic

Name: Symphony

Class: Parked Domain, Opera-Mini

User Agents: Opera Mini, e.g. “Opera/9.80 (J2ME/MIDP; Opera Mini/4.1.15082/34.1394; U; en) Presto/2.8.119 Version/11.10”

Traffic Volume: 1% of US-only Display, 0.1% of International

Publisher Volume: 100+

Proportion of Publisher Traffic that is fraudulent: 100%

Estimated Cost to Advertisers: $5 million per month

Assessing Impact of Symphony

The impact of advertisers for Symphony is estimated to be $5 million per month. It is currently targeting US geographic locations, but appears likely to follow its cousin and targeting international locations soon.