The Bot Fraud Toolbox: Part 2
In our last post, we wrote about a number of the tools in a fraudster’s toolbox that allow their bots to commit fraud right under the nose of your detection service. These bots are basically modified browsers that have a host of add-ons to let them look like something they aren’t. Let’s take a look at some more of these tricks so you know what you’re up against. Remember, when it comes to lead generation, these bots are committing fraud that makes money for the criminals while costing you TCPA violation fines. So it’s important to stay informed and get real detection help that can protect your whole lead-gen ecosystem.
Today we’re going to start off looking at two tricks that work together to fool your detection solution:
The first one is multi-host emulation. This enables each browser tab to have a different proxy or backconnect connection. The end points of these proxies are mostly residential and are setup on real residential internet connections. Like AirBnB for ordering a room, you can also order a proxy/backconnect where you only pay for what you use. In return, the platform and person who shares his or her or its internet connection get a small fee. Services like this provide millions of residential IP addresses in almost every possible location. This is one more nail in the coffin for using blacklisted IP addresses alone for your fraud detection.
Multi-client emulation works in collaboration with multi-host emulation. It enables a browser to look like a different browser engine for each open tab. So, the first tab could look like Internet Explorer 11 on Windows 7, the second tab FireFox 68 on Windows 10.0, then Chrome 76 on an iMac, and so on. As each tab runs in its own process, the SSL/TLS handshake (with the correct TLS fingerprint) and JavaScripts are executed within the emulation of a browser engine.
Organizations that commit criminal fraud like this are always looking to automate the process – that way they don’t have to pay pennies a day to people in click farms and they can reduce their costs. Of course, they have a tool for this, too, to keep their crime profitable: macro recordings that allow bots to move the mouse, click on items in the page, type information in forms, simulate sensors, and so on. If no (session) cookie is present, they login using the login/password fields. Of course, the mouse and keyboard recordings are timed to resemble typical human behavior and have randomized trajectory paths, which prevents detection by simplistic statistical profiling.
Of course, some tasks are designed to be unsolvable for computers, at least for the time being. These tasks are CAPTCHAs. When tasks are automated and being challenged by a (re)CAPTCHA, they will fail to complete these successfully. To cope with this, you can hire a CAPTCHA recognition service. This service is a platform where your bot sends a screenshot of the CAPTCHA to the platform. This CAPTCHA is distributed to mostly cheap labor workers, who solve CAPTCHAs mostly in less than a minute and workers are paid a small fee per hour, or per solved CAPTCHA.
The second tool to look at today puts all these pieces together in a neat and tidy package. Fraudsters can compile the complete browser, macro recordings, profiles and settings into a single standalone application. This application can be distributed easily to multiple computers. Each computer can run a dozen concurrent tabs, pretending to be a random human. These fake humans are randomly selected from available profiles and execute pre-defined tasks according to the recorded macros.
That’s how easy it is to commit fraud – and that’s why it is so widespread. More serious tools are required to stop the theft against your business and to avoid fines caused by TCPA violations. Every day there’s another decision that makes TCPA violations harder to avoid. Contact us today to see how we can help.
So how is your javascript solution different from the other fraud-detection solutions that are described in your post above, that you’ve said are ineffective against the bots that continually find ways to defeat them?
We look at the full spectrum of inputs and whether the combination of all data points, ie. browser, device and behavior are in balance. To give you an idea of what we mean, we can detect wheel scrolling on a touchphone. That’s pretty strange because only a computer mouse has a scroll wheel. That would be out of what we call “the confluence zone” and therefore a red flag. There’s obviously a lot more analysis that goes on, but that is a general indicator of our proprietary approach.