Anomaly codes
List
| Code | Description |
|---|---|
| MCPS-1000 | IP / Network Block |
| MCPS-1100 | Failed Input Verification |
| MCPS-1200 | Desktop / Old Device |
| MCPS-1300 | Shield Bypassing |
| MCPS-1400 | Duplicate Shield Token |
| MCPS-1500 | APK Not From Google Play store |
| MCPS-1600 | Adult Keywords |
| MCPS-1800 | Opera mini Traffic |
| MCPS-1900 | Google Proxy Traffic |
| MCPS-2000 | IP Timeseries |
| MCPS-2300 | Blacklist/Whitelist |
| MCPS-2400 | Legacy Devices/Browsers |
| MCPS-3000 | Replay Attack |
| MCPS-4000 | APK Fraud |
| MCPS-5000 | Bot Detected |
| MCPS-6000 | Spoofing |
| MCPS-7000 | Clickjacking |
| MCPS-8000 | Remotely Controlled Fraud |
| MCPS-9000 | Failed Interaction |
MCPS-1000 - IP / Network Block
Request was denied because the IP address used does not fall within the approved range specified by the client.
MCPS-1100 - Failed Input Verification
Failed Input Verification is used when there's a problem with verifying the information entered on MSISDN/PIN entry pages. This can happen due to various reasons, including automated processes (like bots or app controllers) or extremely fast data entry that doesn't match normal human behaviour. It's a signal that something might not be quite right with the information provided.
MCPS-1200 - Desktop / Old Device
Indicates a situation where fraudsters use old devices with outdated operating systems to avoid specific security tests or checks. They do this to hide certain activities that may not comply with security measures. This behavior can create risks, potentially allowing fraudulent actions to go unnoticed.
MCPS-1300 - Shield Bypassing
Shield Bypassing is a term used to describe a fraudulent tactic where malicious actors intentionally disrupt the proper functioning of our anti-fraud system. It's akin to someone trying to disable security measures in a building to carry out unauthorized activities unnoticed. In the digital realm, fraudsters attempt to prevent our Shield JavaScript engine from working correctly on a webpage. This obstructs our ability to effectively detect and prevent fraudulent transactions. By identifying instances where the Shield JavaScript engine fails to load or render, we can uncover and thwart potential fraud attempts. Shield Bypassing serves as a critical defense mechanism, helping us protect against malicious efforts to interfere with our fraud prevention measures.
MCPS-1400 - Duplicate Shield Token
Clear Uniqid is getting used Multiple times against multiple URL's
MCPS-1500 - APK Not From Google Play store
APK attempting Subscription OR in use is Not From Play Store Or Removed By Play Store.
MCPS-1600 - Adult Keywords
Adult Keywords Found in Headers, Domains, etc
MCPS-1800 - Opera mini Traffic
Opera Mini Misses Some Advanced JS Checks also uses Opera Proxy for Content Loading.
MCPS-1900 - Google Proxy Traffic
Goolge Proxy For Faster Content Loading
MCPS-2000 - IP Timeseries
Request was declined because there have been too many access attempts from the same IP address within a short period of time.
MCPS-2100 - Google Traffic
Google Traffic Having Google Ads Identifier. E.g. gclid, wpraid, gbraid etc
MCPS-2200 -Facebook Traffic
Facebook, Instagram Traffic Having Facebook Ads Identifier FBCLID
MCPS-2300 - Blacklist/Whitelist
Anything Explictly Whitelisted/BlackListed
MCPS-2400 - Legacy Devices/Browsers
Indicates a situation where fraudsters use old devices with outdated operating systems to avoid specific security tests or checks. They do this to hide certain activities that may not comply with security measures. This behaviour can create risks, potentially allowing fraudulent actions to go unnoticed. It underscores the importance of vigilant monitoring and addressing such instances to maintain robust security measures.
MCPS-3000 - Replay Attack
A replay attack refers to a fraudulent act in which an attacker attempts to reuse or "replay" legitimate transaction data to gain unauthorised access.
It typically involves the following steps:
Initial Legitimate Transaction: A legitimate transaction, often involving the activation of a subscription or service, takes place. During this transaction, the user provides valid information and credentials, and the transaction is approved.
Data Capture: The fraudster captures all relevant data associated with the legitimate transaction. This data may include transaction details, device fingerprinting data, and any authentication tokens generated during the process.
Replay Attempt: The fraudster then attempts to replay this captured data, essentially submitting the same transaction or information again, but without the legitimate user's consent or knowledge. They may use the captured data to mimic the original transaction.
MCPS-4000 - APK Fraud
The app might disguise itself by pretending to be a web browser in its request headers. It can also deceive by claiming to be from one package (Package A) while actually originating from another (Package B). Additionally, the app attempts to conceal its true identity by hiding its package name.
MCPS-5000 - Bot Detected
The system detects the presence of automated bots. These bots often use headless browsers like PhantomJS, Selenium, Appium, and similar tools. Additionally, they may run on emulators or desktops hosted on cloud-based servers, mimicking the behaviour of mobile devices.
MCPS-6000 - Spoofing
Indicates instances where attackers manipulate or falsify information related to the Mobile OS. Browsers or Apps. For example, an attacker might disguise their system to appear as though it's using a different web browser or app or present an outdated version of an operating system. This deceptive tactic aims to trick the system into granting unauthorised access.
MCPS-7000 - Clickjacking
Click jacking or malicious code injection attempts, which are both common OWASP-defined web application security risks. It involves overlaying hidden elements on web pages to deceive users into unintentional interactions. For instance, a malicious actor might place an invisible button on a subscription page, tricking users into activating subscriptions without their knowledge.
MCPS-8000 - Remotely Controlled Fraud
Refers to remote-controlled fraud, where a single transaction spans multiple devices and networks. In this scenario, a fraudster gains control of a victim's device via a malware app, manipulating it remotely through emulators, other mobile devices, or cloud servers to subscribe to a specific service without the victim's knowledge. To obscure their actions, the fraudster initiates requests from a gateway IP but processes them on a remote server, spoofing the gateway IP during landing page interaction and executing the transaction via a command-and-control server. This code is used to detect and address such fraudulent activities.
MCPS-9000 - Failed Interaction
Encompasses programmatic interactions within web applications where an element is clicked but is not visible or falls entirely outside of the user's viewport. This situation often arises when a program or script attempts to interact with an element that may not be currently displayed to the user or is entirely outside of their visible screen area. Additionally, it identifies cases where no user activity is observed on the page. For instance, if a Block API call is received from the server, indicating that the subscribe button was clicked, it suggests fraudulent activity. In such instances, we mark the transaction as a block because there was no genuine user action on the page, indicating an attempt by a fraudster to interfere and falsely indicate a subscription attempt. This reason code is crucial for detecting and mitigating fraudulent or automated interactions within web applications.