Category: blackhat (page 1 of 1)

The ‘Boiler Room’ is an intermediate blackhat tactic.

The tactic uses the Rotating CallerID tactic, (discussed in another article), but is somewhat more sophisticated.

While the Rotating CallerID tactic simply rotates the callerID, making it slightly more difficult to detect non-unique callers, the Boiler Room takes it to another level.

A ‘Boiler Room’ is an outbound telemarketing operation. The term is most often used to describe high-pressure, outbound sales of investment products. E.g. Buy this stock before there is no more left! And more often than not, the term is used to describe those shady operations which skirt around laws and take advantage of unsuspecting widows and orphans.

However, any outbound telemarketing room can be considered a boiler room. So the term is universal and not necessarily used to describe fraudsters and crooks. But in the context of this article, the term ‘boiler room’ is most definitely outside the moral box.

As the definition implies, pay per call affiliates utilize this blackhat method by organizing numerous people to make calls on their behalf. The callers are paid by the hour or on commission and are coached to impersonate legitimate callers.

The fake buyers are given a script to follow, with the intention of keeping a call center agent on the phone until the call reaches the minimum duration necessary to be qualified for payout. Great pains are taken in sculpting the scripts to make them sound natural.

In our day and age of outsourcing, callers need not be contained within a physical ‘room’. But the concept of the boiler room is still very much alive. Callers are given lists of people to impersonate, and as long as they don’t call the same advertiser too often, picking up on the voice-match can be difficult for the affiliate manager and their compliance teams, which is why other identification methods are necessary. For pay per call affiliate managers seeking to identify patterns of fraud, the most tell-tale signs are usually a series of questions. One question after another will be asked and compliance teams must be trained to spot these questions. What is it you do? How does your service work? Do you do this? Can you do that? Ok, if I decide to move ahead I will call you back. Click.

In a further effort to mask their tracks, the more far-thinking boiler rooms will actually impersonate real prospects who have previously made inquiries online. Lists of aged electronic leads are purchased for pennies on the dollar and their callerID is pushed through to the advertiser. That way, when the advertiser tries to contact that person, there might be some recollection of having previously requested related information, extending the time that this scheme may go undetected.

There are several other variations of the boiler room tactic, and needless to say, the variations will continue to proliferate into more and more elaborate programs.

Affiliate managers must always be on their toes!

By Benny Traub

As a pay per call affiliate manager, this is one of the blackhat techniques I’ve learned to watch out for. I call it the ‘Rotating CallerID Tactic’.

Here’s how it works…

Those of the pay per call blackhat world would love to be able to get on the phone and make call after call to their advertisers, getting paid $5 or $10 for every call they make. Hey, at ten bucks per call, they see themselves making $60.00 or $100.00 per hour simply by making phone calls. So you can completely understand why they would be tempted!

The catch is, most advertisers stipulate that they will only pay for ‘unique callers’.

A unique caller, in the advertiser’s mind, is defined as a different person. So how does an advertiser prevent over-sharp affiliates from making multiple calls? In practice, their filter is usually callerID.

Since CallerID is the most obvious filter by which ‘unique callers’ are identified, pay per call blackhat affiliates have spent their valuable time figuring out ways to rotate the callerID that is sent through to their advertisers. Their logic is that the advertiser will simply count the unique callerID numbers and then make the payout.

If the pay per call affiliate manager is not paying attention, those calls can easily leak through. They will be worthless to the advertiser, yet on paper they will be booked as qualifying calls.

As a pay per call affiliate manager, I would have been none-the-wiser if I hadn’t started listening to call recordings. To my surprise, I discovered that the recorded voice of some of the callers sounded nearly identical!

I guess if you are smart enough to figure out how to rotate callerIds, then you can’t be completely dumb, right? Nevertheless, sometimes the pay per call blackhatter is not even bright enough to use a different name when they call. So not only do we have voice prints that match, we even have names! It turns out ‘spoofing’ your callerID is simpler than it sounds, so you don’t need to be a rocket scientist to pull this one off. There are numerous spoofing services out there that will take care of it for even the dumbest of dumb dumbs.

Since then, our compliance team has developed other methods to uncover this obvious sham and it rarely goes undetected. Of course, we can’t be sure, since non-detection means we don’t know about it if it exists.

More sophisticated pay per call affiliates have setup even more elaborate methods of utilizing the Rotating CallerID Tactic, and we’ll touch on those in a future article.

By Benny Traub

PS. In case you didn’t know this bit of telephony trivia, DNIS is a telephone service that identifies the phone number of the caller and reports that number to the advertiser or the advertiser’s call-tracking service. DNIS passes the key tones (multi-frequency digits) through which are interpreted as callerID numbers.

Affiliates and Affiliate managers may enjoy this insight into pay per call fraud.

It’s unfortunate, but in our business of managing affiliates we catch pay per call fraud almost on a daily basis.

We’ve seen ‘blackhat’ techniques seduce even the most innocent affiliate, from mom-at-home to grandpa.

Here’s how we catch them…

Our pay per call fraud team investigates every call and listens to every single call recording. Unfortunately, long practice has resulted in our team developing a very fine acuteness for pay per call fraud. This practice of reviewing calls has enabled us to catalog a long list of blackhat techniques. The one featured in this article is called the ‘Decoy Tactic’.

Every industry has it’s obvious flags, for example, we know that legitimate prospects of home improvement services ALWAYS want to get a price. A normal question is “how much is it going to cost me?” That’s usually the first and last question. There are very few exceptions to that rule. It’s an established ‘pattern’ of a legitimate call. We’ll use the home improvement category in our examples here.

When an affiliate sends calls to a home improvement campaign which do not result in the caller requesting a price, this raises the fraud flag. And since most pay-outs require the call to extend beyond a certain duration to qualify for payment, it is then a simple matter for the fraud team to determine what trick was used to get the call to extend beyond the minimum duration.

Some affiliates are very elaborate in their schemes. The pay per call blackhat Decoy Tactic is one that requires a bit of work. But not too much.

Blackhat pay per call affiliates know that they can’t simply send a batch of dummy calls to an advertiser. The  fraud is too obvious and the blackhat affiliate would get kicked out of the affiliate network.

To cover their tracks, the pay per call affiliate sends legitimate ad-driven calls to the advertisers. They arrive naturally like any other advertising, making the fraud slightly more difficult to detect.

However, this ‘legitimate’, inexpensive advertising, is of very  low quality, such as certain mobile click-to-call, SMS or misdial campaigns. Such a campaign results in many extremely short calls being pushed through to advertisers. They don’t convert, but that’s not the point. They are just the decoy. And these calls are cheap to produce (usually less than 15 cents per call).

Once the pay per call affiliate has created a bit of phone traffic, they then feel safe to slip in some junk. They organize calls that are systematically sculpted to extend beyond the minimum duration. These calls  are intended to be the payoff for the earlier decoy work. The calls are generated by friends, family, employees or the affiliates themselves.

Of course these people don’t want quotes, so they simply make ‘natural’ conversation, asking seemingly innocent questions until the minimum duration has been fulfilled. Some even get generous and talk for ten or fifteen minutes! But in the end, they refuse a quote and make some kind of excuse, such as “I have to speak with my spouse” or “I have a bad connection, I’ll call you back”. The list of excuses is endless. But when a price is not requested on a home improvement call, up goes the fraud flag and our fraud-detection blood hounds go to work.

The above Decoy Tactic certainly creates some smoke. But with the home improvement vertical it doesn’t matter. Anyone who owns a home knows that if they call a flooring or roofing contractor to get a price, the contractor is going to need to come out to the house to see it and measure things up. That’s how most home improvement trades work. And legitimate buyers have no problem with this. So when a caller breaks this pattern, the fraud comes to light.

The Decoy Tactic is used by many blackhat affiliates, in my opinion, especially by those who have been previously been booted from networks for being too obvious in their schemes. They come back in under a new name (wife, brother, dead relative, etc) and try again.

I’ve explained how the Decoy Tactic is exposed  for the home improvement vertical, but it can be just as easy to spot for other industries. There are certain patterns of a legitimate call that are impossible to emulate by fraud. As affiliate managers, it is our job to be attuned to these patterns and invest in the necessary policing of campaigns in order to spot the fraud.

By the way, if you are a pay per call affiliate and are  tempted to call your promo numbers yourself, or if you’d like to ‘organize’ calls for a home improvement campaign, here’s how to get away with it…

Make sure that whoever makes the call is, a) the owner of the home (advertisers will check), and b) is willing to go through with the entire quote process, which will include someone coming out to see the home. Anything less than this will result in the fraud-flag going up the pole. It will either be caught when reviewing the initial  phone call, or within a couple days of the call when it becomes impossible to reach the caller to confirm basic information.

If fraudsters spent the same amount of time developing a legitimate business instead of cooking up schemes to rob their advertisers, their businesses would have lasting value instead of temporary spikes which are not repeatable.

You can shear a sheep many times, but you can only skin it once.

By Benny Traub