Fraudster’s perspective on IDFA’s opt-in nature.jpg


2020 is a year for the books. Crazy, harrowing, and unprecedented, to say the least.

Thus, advertisers are adjusting, adapting, and reimagining the way they approach ad campaigns. With enough to deal with already, Apple threw a curveball to advertisers in June of this year when more strict privacy rules were announced, with some even calling these rules more impactful than CCPA or GDPR.

Just last month, Apple announced that the release of the IDFA privacy rule was going to be slightly postponed, giving developers more time to “prepare for this feature rolling out to users by the end of the year.” Yet, it’s still there and it’s not going anywhere.

In paper, the opt-in nature of the IDFA sounds good for the end-user, but on the other end of the spectrum, the near-death of Apple’s identifier will create many opportunities for fraudsters to defraud advertisers.

For this post, we decided to go on a different route and take you on a journey from the fraudster’s point of view to show you how they will benefit from the IDFA opt-in nature.

Get your fraud on!

You’re a fraudster now

Put your fraudster hat on and think about how you got to this point. How does one actively decide to become a fraudster? 100% of the time, the answer is money.

If money is the driving force, what is the vehicle? How do you get started on defrauding advertisers? You’d be surprised, but most of the time, it all starts with a simple YouTube search.

Fraudster’s-perspective-on-IDFA-opt-in-nature-Google-Docs (1).png

Check out his video!

You might think that it’s kid’s stuff given the fact that it’s as easy as performing a simple YouTube search where the results show you a plethora of tutorials available online of youngsters streaming from their basements, giving you detailed instructions on how to perform different schemes of mobile ad fraud.

Think again.

While it’s true that you can get started in a modest way, think of mobile ad fraud as a beast on its own merit. A many-headed monster that eats away advertiser’s budgets on the daily.

Think of your fellow mobile ad fraudsters as corporations and not home-based vloggers giving you tips on how to create your own device farm with as little as 10 devices.

With an industry that is expected to reach $520 billion by 2023, ad fraud is a critical risk for advertisers, as their campaigns are in the line of fire. With numbers like this, it’s easy to see how ad fraud will give you high returns.

In fact, the ad fraud industry is so lucrative that ad fraud corporations make more money than drug dealers. With average fraud paychecks that range from $5 million to $20 million, the World Federation of Advertisers claims that ad fraud is set to become the second biggest organized crime enterprise, right behind drug trade.

The truth of the matter is that fraud attacks are becoming more severe, sophisticated, and downright smart. Case in point, in May of this year, Scalarr discovered an AI-powered click hijacking SDK being sold on the Dark Web to bypass intelligent solutions that make use of machine learning algorithms.

In that sense, fraudsters are fighting fire with fire. While it’s not the first time we see similar types of tools being sold on the Dark Web, it is the first time they use cutting-edge technologies and make them available at an affordable price. Only 2 bitcoins, wink wink.

As a fraudster yourself, your main goal is to make money while staying undetected. Luckily for you, mobile ad fraud continues to thrive because a) advertisers don’t always have the urgency this matter requires, and b) mobile is continuously adapting and evolving, making it harder for traditional anti-fraud solutions to keep up.

How does IDFA benefit your fraud schemes?

Now that you’re a fraudster, you must tap into every opportunity to grow your booming business.

Whether you choose AI as your technological ally or rely on the advertiser’s lukewarm approach to fighting fraud, one thing is true: the new IDFA opt-in nature is here to help you even more.

As end-users decide to opt-in or opt-out from being tracked by advertisers, you will find a number of provocative ways to not only continue but grow the way you perform mobile ad fraud.

Here’s a quick list of why the IDFA disintegration will benefit your fraudulent schemes:

  • There will be fewer data points to emulate. This means that, as a fraudster, you won’t need to meet that many criteria in order to look like a legitimate install.
  • There will be fewer links between clicks and installs. With less data available, there won’t be enough information to create relationships of links or installs to devices. As things stand right now, most likely, anti-fraudsters will receive aggregated data with little detail, making it super easy for you to fly under the radar.
  • It will be significantly easier to spoof clicks and installs. Presumably, the industry will see more “compliant” fraud schemes because there won’t be enough evidence to prove otherwise or the criteria won’t be stringent enough to filter legitimate data from illegitimate sources.
  • There will be less evidence available for refund claims. This one’s easy - with less data, you will find it easier to make more money as advertisers will have no grounds to claim their money back on the basis of fraud.


As seen in the image above, the IDFA brings about a new reality. Now, it will be categorically impossible to create data connections between a specific device and installs. In its place, advertisers will only see that some device had one install. Not very helpful, right?

How can you take advantage of these uncertain times with the new nature of IDFA?

Let us give you a few examples of attribution fraud and click spam specifically.

A tale as old as time, click spam has been around for quite some time and is a favorite amongst fraudsters. Such is the case that in 2019, Scalarr found that 35% of all fraud in their clients was the cause of click spam.

Being the experienced fraudster that you are, you know that click spam works by spreading fraudulent malware into the largest possible number of user devices with the goal of sending invisible clicks to all advertising links available in the hope that one of those random clicks results in an organic install. That way, you can capture the attribution and claim credit for it.

In a nutshell, with click spam you make advertisers pay for installs that would otherwise be organic.

Prior to the new IDFA opt-in nature, advertisers would identify if too many different ad clicks were made by a single IDFA and mark it as suspicious. Now, there will be many clicks from different campaigns, creating good CTR, and looking like anything but suspicious.

Another scenario where IDFA can help you is in fingerprinting attribution. With IDFA in place, advertisers would see many different ad clicks from several IP addresses with the same patterns made with several IDFAs, and as such, mark it as an anomaly. After the IDFA is gone for good, advertisers will see large amounts of clicks from a single IP address and it will look legitimate.

For this to work, you will need to use dynamic IP addresses, mobile internet, and locations with limited IP range to avoid detection by fingerprinting and IP.

But believe us, you can take advantage of the death of IDFA with more than just click spam. Let’s take a look at click/install farming for example.

Click/install farming is an old-school scheme that is equipped with large numbers of devices that click, install, or interact with an app to claim credit and receive payment. It can be automated or human-operated.

Now, click/install farms are not so popular in Apple devices, that is true. For one, the devices have a higher price point that fraudsters shy away from. Also, IDFA kept them at bay.

You see, if a device was detected as being part of a device farm, it is blocked and the device ID is no longer trusted. The farmer can’t make money anymore.

When IDFA is gone, farmers will simply restart the farm and start again.

Your obstacles

It’s not all rainbows and butterflies for your fraudster way of life. Apple claims that they will help with cases when fake installs take place by checking whether the user has actually installed the app by visiting the App Store.

Most importantly, advertisers are highly data-driven and more than suspicious of even the slightest anomaly in their traffic.

Nowadays, advertisers go the extra mile and investigate strange behavior such as good CTR with poor ROI, establish harder standards for performance KPIs, pay extra attention to CR and CTR anomalies in post-install activity, and use exclusion lists to prevent fraud before it even occurs.

The biggest obstacle you’ll find is machine learning-powered anti-fraud solutions that are solely dedicated to detecting and preventing mobile ad fraud. Machine learning algorithms are specifically trained to detect fraudulent activity and are increasingly learning and improving.

So, you see, it might not be as easy as you think to get away with mobile ad fraud.