All About Headless Browsers and Click Fraud
Kerry Coppinger
|Marketing | October 15, 2020
Headless browsing may seem like a bizarre term, but it’s simply a name for a browser or browser simulation without a recognizable graphical interface. Even more simply “headless” simply means no screen. Instead of testing a site or performing common actions using familiar graphical elements (graphical user interface or GUI), use cases are automated and tested with a “command-line interface”.
There are various tools out there to help with headless testing, with the most common ones including PhantomJS, Selenium, Nightmare, Headless Chrome, and Puppeteer. Puppeteer (which can emulate 73 different types of device) has been downloaded 122 million times in the last two years for instance.
Headless browsers are commonly used for legitimate and useful purposes, providing a fast, lightweight way to automate high-level actions for developers, including:
- Website and application testing
- JavaScript library testing
- JavaScript simulation and interactions
- Running one or more automated UI tests in the background
These actions help developers confirm whether or not common website activities flow smoothly and can identify potential problems with UI and UX. They have all the functionality of a regular browser but are run in a data center like Amazon Web Services.
Headless browsers and click fraud
You can probably see how headless browsers are so central to the $23 billion click fraud industry. This is because bots operate through this website development and testing tools “headless”, which allows for operation in headless mode. Unlike first-generation bots, they can maintain cookies and execute JavaScript. These tools are developed and maintained by Google and Microsoft and can be deployed at enormous scale using cloud computing technologies provided by Amazon (AWS), Google (GCP), and Microsoft (Azure). Bot makers create millions of headless browsers that can simulate all human-like actions such as mouse movement, page scrolling, and clicks, to load webpages and cause impressions.
We see malicious use of headless browsers including fuzzing, botnets, content scraping, login brute force attacks, and click fraud. The issue for digital marketers is that it looks like legitimate human traffic.
Hideous Headless Browser Activity
1. Crap leads
The presence of headless-browser-driven leads turns marketing campaigns upside down. They bring crap leads into expensive digital marketing campaigns killing marketing KPIs. In the case of one medical devices client for instance we monitored running an expensive paid social campaign, 23 % of their fake traffic was driven by malicious crawlers, running headless browsers including PhantomJS, Lighthouse, and Cyclone. This can be used to click on advertisements, install applications, and fill out lead forms.
2. Going Headless to create Fake Accounts
New accounts for instance on Reddit, can be created using headless mode and human-Captcha solving services such as 2Captcha, as shown in this study ($0.77 per 1,000 Captchas solved makes this service highly accessible). Security researcher, Jarrod Overson says: “This is where having the ability to toggle headless off and on is helpful because we can drive the browser like a human when we need to.” He points out that Facebook does prevent automated bots, including Puppeteer Stealth from registering new accounts on the platform.”
3. DDoS attacks using headless browsers
In 2016, researchers uncovered a botnet called Dress Code that infected Android phones. The hacker himself said the purpose of the botnet is to generate fraudulent ad revenue by causing the infected phones to collectively access thousands of ads every second, and deployed headless browsers. This was done by an attacker-controlled server running 5000 headless browsers clicking on webpages containing ads that pay commissions for referrals. To prevent advertisers from detecting fake traffic, the server used proxies to route traffic through the compromised devices, which are rotated every five seconds.
CTO Jag Bains CTO of DOSarrest, which prevents DDoS attacks told ITProPortal that going headless allows the opening up of multiple sessions on a laptop. He says: ” We looked at adding a monitoring service to see how our website was doing, and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”
Sophisticated fraud at cost price
These developer tools provide sophisticated fraud at bargain prices. It is very difficult to create web automation tools, so fraudsters use these popular ones instead, and find ways to disguise that they are automated browsers and not real ones. Refael Filippov, CHEQ security researcher, says: It costs the fraudster less resources than it would do to execute more of them on the same server, compared to automated browsers that do have GUI.
So, there’s always natural migration of fraudsters towards more and more sophisticated tools. And for the majority of fraudsters; the automation tools are evolving without them having to do anything about it, they just have to hide and rewrite certain elements in order to evade more and more tests.”
Using CHEQ to stop headless browsers
At CHEQ, we packed our award-winning fraud-detection capabilities into a powerful Java-Script tag that runs on your assets and analyzes for invalid users while looking at over 1,000 unique parameters and performing advanced OS / Device fingerprinting, as well as behavioral and network analysis, to ensure you only block truly invalid users. This blocks damaging headless browser traffic from your campaigns and funnel.
Protect yourself from headless browser activity hurting your marketing, and get your free CHEQ trial today.
P.S.
Want to protect your sites and ads? Click here to request a demo.