Recommended
More Related Content
Similar to Catch Advertising Money Thieves with Log Analytics
Similar to Catch Advertising Money Thieves with Log Analytics (20)
Recently uploaded
Recently uploaded (20)
Catch Advertising Money Thieves with Log Analytics
- 1. https://commons.wikimedia.org/wiki/File:Thief.png, By JamesDrury creative commons – share alike
- 2. Catch your Advertising Money Thieves • Is someone stealing your advertising money? • Who or what is producing invalid traffic at your cost? • You want to get alerted when suspicious traffic kicks in (Fraud)? • You want a clean and accurate basis for your Marketing Analytics without fraud traffic?
- 3. Best possible Source for DATA = Logs Best possible Analytics Engine =
- 4. Before we start – some “good to know” • The data we are talking about does not live long (GDPR compliance). • IP Address processing is necessary for the purposes of the legitimate interests pursued by the controller - Security and Fraud detection are two legitimate interests. • You need to understand what can appear as “direct campaign traffic” means. Learn about it here: https://www.youtube.com/watch?v=8oGlkqq_0Ao • Be very careful with your analysis and ask a security specialist for a second opinion before you report your findings. • Expect Fraud everywhere but also be aware that some users show strange click flows. • Read this: https://www.wfanet.org/adfraud
- 5. Prerequiste: Get the Logs into New Relic • Define New Relic the endpoint of your Logs in your CDN or from your servers (in case no CDN is used) • Check if logs arrive (Example for Fastly) (Logs arrived in New Relic)
- 6. Make sense of the of the data Focus for this use case only on traffic coming from your paid campaigns (Paid Search, Paid Social etc.) Most thieves hide themselves by using sophisticated scripts run on a variety of servers. Expect to see one thieve use multiple IP addresses. A good starting point is to count the calls of UTM Campaign traffic and separate it by IP address. Select count(client_ip) as 'Requests' from Log where request_user_agent not like '%bot%' and request_query_string like '%utm_campaign%' and request_referer not like '%yourdomain.%' facet client_ip limit 50 since 1 day ago xxx.xx.xx.xx xxx.xx.xx.xx xxx.xx.xx.xx xxx.xx.xx.xx
- 7. Narrow down to get more intelligence • Ask Questions What campaigns are affected? Is this real fraud? xxx.xx.xx.xx xxx.xx.xx.xx xxx.xx.xx.xx xxx.xx.xx.xx Click to filter Campaigns Called Red Flag ’Cost per Click’ Campaign
- 8. Is the specific IP address known as Fraud? • Various platforms provide databases of known fraud traffic Ips • Example: https://scamalytics.com/ • Confirms my assumption: Most likely fraud !
- 9. Further Analysis • Check the log entry further for Is a referral present? Is a gclid present? (you might need it for reporting it to google) Is anything else looking suspicious? A starred as request language…suspicious Export gclid directly from New Relic
- 10. Create an outlier alert to get notified!
- 11. Automate Fraud detection • Implement a script using the NR APIs to get the list of possible fraud Ips • Query the https://scamalytics.com/ API and send the results (as custom events) into New Relic using the ingestion API. • Now you can query the data easily and get alerted on high fraud traffic based on public available data
- 12. Fraud Scoring in New Relic
- 13. Report identified Thieves • https://support.google.com/googleads/troubleshooter/2557048?rd=1 • Make sure the ALL the data requested by Google. The better you report the faster Google can react and probably refund you. All requested data should be available in your logs.