A user agent is any software application that facilitates an interaction between a user and a network service, such as the Internet. The software acts as an “agent” on behalf of the user to request access, retrieve data, and render it from a connected server.
The most common user agents you’ll see include:
- Web browsers
- Email clients
- Mobile apps
- Web crawlers
- API clients
- Accessibility tools (eg screen readers)
- Command-line tools (eg cURL)
User agents declare themselves to networks by giving themselves unique identifiers, known as a user agent string, this has benefits for users and networks:
- Content Optimization: Websites customize content for specific browsers or devices based on the user agent string.
- Compatibility: Systems may have specific user agent requirements to be met for security or to keep their system running optimally.
- Analytics: User agent data can be used in analytics to understand visitor demographics or behavior over time.
The user agent string contains information about the browser or application version, the operating system it’s being run on, and sometimes the device type. For example, a user agent string for an iPhone user with Safari would look like something like this:
Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1
Note that the actual version numbers in this string would reflect the current versions of iOS and Safari being used on the device. Additionally, user agents may use their own conventions to communicate the same information.
What is user agent spoofing and why is it used?
User agent spoofing, also known as forged user agents or fake user agents, occurs when a user purposefully changes the user agent string to misrepresent the user agent, operating system, or device type.
Spoofing your user agent is useful if you’re testing user experiences or seeking greater privacy. However, forged use agents can also be used by scammers to access protected resources or commit fraudulent activity.
How are fake user agents used for fraud?
Spoofing user agents is a common tactic used by fraudsters to bypass fraud detection systems and have the added benefit of making themselves harder to identify upon investigation.
Specifically, these are some of the main ways it’s employed for fraud:
- Ad Fraud: Used to generate fake impressions and clicks all from the same device or set of devices (ie click farms) but appearing to be legitimate.
- Fake Traffic: Similar to ad fraud, invalid traffic (IVT) is generated through different marketing channels and masked to fool website analytics.
- Bypass Geo-restrictions: A more specific type of fake traffic, scammers mimic users from particular zip codes.
- Web Scraping: Most sites have built-in protections against large-scale web scraping, but spoofing a user agent and using a VPN sidestep many of these protections.
- Free-trial Scams: Users can appear brand new to a service to repeatedly take advantage of new customer offers.
- Desktop to Mobile Fraud: Fraudsters can perpetrate several types of mobile fraud at scale on their desktop computer.
How do you detect and prevent fraud from forged user agents?
There’s no one thing you can do to protect against fraud from spoofed use agents. Instead, it’s a programmatic approach that involves multiple checks and balances within your business. Depending on the severity of the problem, you’ll want to employ a mix of these fraud detection tools and protocols.
- Tracking Pixel-Based Detection: Pixels embedded into your ads offer real-time analysis of incoming clicks or impressions.
- Server-to-Server (S2S) API Integration: IVT detection and prevention through an API that won’t impact page load times or user experience.
- Browser Fingerprinting: Browser meta-data, such as fonts, screen resolution and available plugins, are collected and analyzed if they match what the user agent string declares.
- Device Identification: Using information about a device’s hardware and software, such as the device’s IP address and operating system to identify a match in the user agent string.
- User Analytics: Look for spikes or drops in user engagement metrics such as time on site or bounce rate as a sign of fake user agent activity.
- Crosschecking IPs: Confirm that the user agent string matches the location of the incoming IP address.
Stopping forged user agents from infiltrating your network requires a multilayered approach combining fraud detection tools and consistent monitoring of your analytics. If you’ve identified user agent spoofing as a problem, you may benefit from working with an ad fraud prevention and cybersecurity partner to identify which tools and internal controls would work best.
