Given all the developments in digital advertising over the last year, with Apple and Google announcing major platform changes, staying vigilant against mobile ad fraud may have taken a back seat. Mobile ad fraud, however, is never going away. Mobile Ad Fraud is a subset of ad fraud plaguing mobile based performance campaigns. It is a collective term used to describe a combination of tactics used to stop digital ads from being delivered to the audiences or spaces for which they were intended. These tactics often include the use of bots, click injection, click spamming, organic hijacking, device farms, SDK spoofing etc. These tactics allow ad fraudsters to syphon off enterprise’s ad spend dollars while the ads themselves fail to generate brand exposure, leads and sales because they were never seen by an actual person. Besides hurting the advertisers, mobile ad fraud also hurts publishers by driving down the ROAS and decreasing the overall value of ads. Advertisement-related frauds will continue to be a major threat in mobile environments in 2022. Last year broke records for ad spending. According to a recent forecast, global digital advertising in 2021 was expected to grow by 15.6% over 2020, reaching $705 billion — well above pre-pandemic levels. Unfortunately, this advertising boom also triggered mobile advertising fraud. As businesses kick off their 2022 marketing plans, there's one thing they shouldn't overlook — a strategy for combating mobile ad fraud to protect their return on ad spend (ROAS). According to a study, ad fraud costs the marketing industry an estimated $51 million per day, and these losses are likely to increase to $100 billion annually by 2023. Sophisticated nonhuman bots, which are actively involved in ad fraud, are responsible for roughly 18% of all internet traffic in the marketing business. Digital advertising operates within a complex system with many loopholes where fraud can infiltrate, but with a little guidance, advertisers can mitigate fraud that gets past prevention measures. Approaches To Fighting Mobile Ad Fraud Fraud is a moving and changing target, and it hides behind the performance numbers CMOs are looking for in the first place. The goal is to not wait until something major occurs to make you pay attention. The goal is to pay attention on saving ad spend that doesn’t take much time or resources from enterprise's marketing team. Look Beyond Install Numbers Examine your conversions, post-install rates and numbers using cohort. This is where you're more likely to notice anomalies like a strange device ID or email address, and then check into the behaviours linked with these potentially fraudulent identities. Click to install time is another metric to consider. Instal events that happen too quickly or in groups can be marked for further evaluation. Be Aware Of Your Audience Reach User acquisition is one of the most important aspects, however the farther your reach, the less trustworthy the traffic becomes. You'll be more exposed to fraud if you use lower CPIs or have a wider reach. There are only so many ad partners out there, therefore in order to meet demand and for client's growth, they may have to rely on marginal traffic. To stop suspicious traffic, make sure you have traffic verification methods in place. Mobile Ad Fraud Detection Some enterprises use mobile ad fraud detection software to spot invalid clicks across their programmatic/display advertising, as well as paid search and social channels. The software can detect clicks and impressions that are generated by bots on paid campaigns and then blocks them, thus preventing them from continuing to syphon money away from the campaign. Mobile ad fraud detection software relies on detecting patterns that resemble suspicious actions in an ad’s impressions, clicks, traffic or IP addresses — or a mix of all those data sources. It compares clicks on ads to its database, and if it detects an anomaly, it notifies users in real time so advertisers can analyse their data. Data Analytics Data analytics helps enterprises pinpoint sources of fraud. Advertisers can use data analytics tools to get a variety of performance indicators on their marketing efforts, such as web traffic across their digital assets and information on potential customers who interact with their ads. With this much bad data in enterprises marketing stacks, it’s no surprise that a significant portion of their total ad spend doesn't deliver any return on investment. Modern data analytics tools utilise machine learning to analyse massive amounts of data and discover anomalies that often indicate fraudulent activity. In turn, this helps enable advertisers to identify fraudulent traffic and prevent further damage by quickly adjusting their ad strategy and divesting from bad traffic in favour of good traffic. Verifying their data across multiple channels also helps enterprises prevent bad data from impacting the rest of their data set, ensuring that their ads reach real and actual target customers. The Takeaway Mobile ad fraud has been a major issue worldwide in the last two years, fuelled by rise in digital during the pandemic and it's projected to become an even more concerning issue in 2022. To get the most from their campaigns, enterprises will want to consider investing in solutions that validate the accuracy of their data and ensure that their ad budgets result in impressions and clicks that actually generate the desired results and values.

My work experience at Com Olho has been very insightful and eye-opening. Things started well from day one. This company is pretty organised in terms of being ready for new employment. I had my schedule before the day started, and when I reached office, my computer and swags were waiting for me. Once I settled down and met my new employers, it was time for the formal training to begin. I chose to work as a Product Manager to get a better idea of researching, designing, implementing and identifying areas for modification in existing programs. The amount of trust that the company has put in me is honestly unbelievable, they provide the employees with all the resources that would enhance their capabilities and bring the best out of them. Week after week in this organisation, I also built up my capabilities progressively and that resulted in more confident in the tasks that I was assigned. I am honestly beginning to feel a part of the team. Getting to know my workmates daily made me feel that any problems I would be facing with the task that I’m being assigned would be quickly diminished by simply asking for assistance on anything I wasn't sure of. As a 23-year-old, it’s hard to determine exactly what career opportunities might interest me, especially with my focus being largely on achieving good A-Levels leaving little time for exploring what the workplace could be like. However, it’s been a high learning curve for me, which leads me on the journey of discovering myself. This work experience has helped me to better understand what working in an office-based environment is like and I now feel more prepared for, not only work but choosing a career path that better suits me. I know I'm still within the early stages of this job, and things will still change and evolve during my time here. But for the foremost part, things have started off well and I am very proud of my job and therefore the company. Connect with me on Linkedin : Link

Pandemic has led to a rise in fraud rates with criminals looking to take advantage of the disruption of both businesses and their clients. It is anticipated that there will be over 7.5 billion internet users by 2030, hence it’s more important than ever to think about how to safeguard your business against fraud and improve the digital customer experience. Last year, every dollar lost due to fraud cost the business $3.60, an increase of 7% from previous years. Fraud is expensive and impacts negatively on both businesses and consumers. What are disposable phone numbers? Disposable phone numbers (also known as temporary or discarded numbers), is a fake phone number that can be used for a limited or temporary period. This visible phone number is used during checkout or account sign-up to avoid providing a legitimate phone number and is generally used by many to get OTP account authentication for temporary access. The number expires after a certain amount of time – usually about 10 minutes. This means that those who need and use this service for longer-period of time will have to get new ones after every 10 minutes of use. The various ways in which these temporary numbers can be used for harmful or fraudulent motives are growing day by day as maleficent look for novel ways to conceal their identity or emulate others. 1. People use disposable phone numbers in situations where they do not want to provide their permanent numbers. For example, the missing number allows the seller on a website of classified ads and community notices to stop the service from the phone number once the advertised item has been purchased. 2. Another drawback is identity theft where people are in contact with strangers for online dating or doing some kind of fraud. These temporary numbers raise a concern about the nature of online identities, as phone numbers are now associated with people's identities. 3. Fake ownership will damage the seller's services and cause great losses. For example, the committer may bypass your phone verification process and sign up for multiple accounts to take advantage of your services. This leads to CRM deterioration. 4. Another disadvantage is that if someone gets access to any information on your disposable phone number – such as your name or home address – they might locate you more easily and quickly than if they had access to your permanent phone number. Because phone numbers are increasingly being used as unique identifiers, connecting user data across multiple databases, which also contain other users data, disposable phone numbers raise a concern about the nature of online identities. Numbers should be validated at the point of entry into your system to ensure that only real, genuine, and qualified leads are captured, keeping your user database clean and preventing fraud. How can Com Olho help? In our research, Com Olho’s system examined over ten thousand of websites to reveal where maleficent use of disposable phone numbers can be found. Com Olho introduced a SaaSless real time API disposable phone numbers detection which regularly scans the web and active phone numbers from a variety of sources to detect disposable phone numbers and verify fraud. At the moment, we have over 10K phone numbers currently in use around the world. Benefits of Com Olho’s Offering: 1. Identity Theft Prevention - Disposable numbers raise a concern about the nature of online identities. Using our real time API Identify the real identity associated with the number using this offering. 2. CRM Improvement - Validate phone numbers at the point of entry into your system to ensure that only real, genuine and qualified leads are captured, keeping your user database clean and preventing fraud. 3. Real-Time API - Experience SaaSless real time API to determine the validity of the numbers entered, as well as discover and remove disposable numbers from your database. Schedule a personalised walkthrough of this offerings.

If you manage an enterprise online, you have an accountability to make sure that your certain records and applications in the cloud are protected all the time. With the continuously evolving risk landscape, this can be a complicated task. However, there are compliance frameworks precise to distinctive industries that can furnish the methodology for enterprises to discover workable incidents and outline methods to forestall such incidents. Top 10 Cloud Security Standards & Control Framework: 1. CIS AWS Foundations v1.2 By following the CIS AWS Foundations Benchmark, any employers that make use of Amazon Web Service cloud sources can assist to defend IT structures and data. The CIS (Center for Internet Security) Benchmarks are a set of objective, consensus-driven configuration requirements which are produced to assist companies in optimising their data security. In addition, CIS protocols are for strengthening AWS accounts to create a strong base for executing jobs on AWS. 2. Health Insurance Portability and Accountability Act (HIPAA) Health Insurance Portability and Accountability Act (HIPAA) is the United States charter that helps safety choices to defend scientific data and keep files privacy. This regulation obtained into the frame when many health-associated documents have been hacked and ransomware assaults have been viewed by means of providers. 3. General Data Protection Regulation (GDPR) The GDPR situation is enforced on each member of the European Union(EU). Its goal is to construct undeviating safety of client records all throughout European union members. Conditions of GDPR in data safety are: Whenever a statistics breach takes place in the system, it needs to be notified in a particular period. Cautiously coping with facts on every occasion there is an alternate via borders. It is vital to think that any market or organisation taking part with the EU is concerned with its rule. This cause makes the EU to have an effect all over the world in phrases of statistics protection. 4. ISO-27018 ISO-27018 is used to guard personally identifiable information (PII) in the communal cloud as PII processors. ISO-27018 additionally can be carried out to any form and dimension of organisation: public or private, government organisation, or not-for-profit organisations. 5. ISO-27017 ISO/IEC-27017 provides pointers for Cloud Security that may want to help organisations approach Cloud Security more systematically and dependably. Further, ISO-27017 is a safety fashionable set up for cloud providers and customers with the reason of reducing the risk of a protection incident in the cloud. In addition, it is additionally prevalent for cloud-based businesses that assist with control recommendations and implementation. This is true for corporations that keep facts in the cloud and corporations that provide cloud-based choices to exceptional businesses which could have confidential data. 6. ISO-27001 / ISO-27002 Someone ought to have encountered ISO-27001 in phrases of information safety needs. ISO-27001 holds the identification for Information Security Management System (ISMS). This is really helpful whilst the challenge is in its commencing phase or if you can’t commit to full implementation of the project. Furthermore, ISO-27002 defines the managed assertion with IS0-27001. By adhering to the ISO-27002, it reveals that the commercial enterprise organisation follows records safety extensively and is eligible to do high-quality practices to invulnerable data. 7. Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard is a security of records that fine applies to the corporations that cope with sizeable card schemes. It is a set of requirements to certify that all groups with access to an approach that acquires and transmit savings card records ought to preserve an impervious and regular environment. 8. ACSC Essential Eight A foundation of eight key strategies for preventing and minimising the scope of cyber security problems. 9. CIS Controls Top 20 The Top 20 Controls (previously referred to as the SANS Top 20 Critical Security Controls) is a prioritised checklist of the organised sketch through the Center for Internet Security (CIS) to combat today’s most ubiquitous and severe threats. It was once created by pinnacle safety specialists from all round the world and is up to date and established annually. Using the CIS pinnacle 20 key safety protocols is a notable approach to defend your enterprise corporation in opposition to the most frequent threats. 10. System and Organisation Controls (SOC) Reporting SOC (System and Organisation Controls) reporting gives inclusive assurance (SOC 1, SOC 2, SOC 2+ and SOC 3) to customers about transparency issues in risk management. Developing SOC ensures that they exercise the proper insurance policies and controls and solely share vital facts with stakeholders. Furthermore, SOC reviews provide tips to improvise on a few precise areas and turn out to be conscious of gaps that can be lagging with potential.

“Never doubt that a small group of thoughtful, committed people can change the world. Indeed, it is the only thing that ever has.” – Margaret Mead I was the first employee at Com Olho. And I believe that the best analogy for what it’s like to be the first employee is that it's extremely similar to the experience and feelings of being a cofounder. I was a part of every conversation and every decision. The open culture and transparency between senior management and other employees is one of the best aspects of Com Olho. I joined Com Olho with no expertise in marketing, but with a strong belief in the company’s mission - “To assist Enterprises and the Government to create Digital Safe India.” However, as I reflect on my journey, the opportunities that have been provided to me have allowed me to grow both personally and professionally. I'm getting goosebumps today thinking about how far we've come. In the last one year, I have gained significant insight into where my true strengths lie by wearing many hats. Nothing makes me happier than taking on new tasks and overcoming unexpected problems, or, to put it another way, stepping outside of my comfort zone. As the company grew and pivoted, I adapted and moved from one set of responsibilities to another. Com Olho has provided me with a diverse range of experience that has helped me advance in my career. It takes commitment to build a successful business. Working hard entails more than just putting in long hours. It's all about commitment to one's belief and aiming for greatness. And the beauty of working here at Com Olho is that everyone works hard towards the same goal to get it done. Working here has been an exciting journey and an amazing learning experience. I'm grateful to our Co-founder, Abhinav Bangia for believing in me from the start, giving me responsibility and the freedom to do whatever I wanted. It has equipped me with invaluable hands-on experience, allowing me to grow my skills, and knowledge. I believe I still have a lot to learn and grow in, and I'm looking forward to doing so with Com Olho. Connect with me on LinkedIn: Link

The growing pace of data is exponential in today's society, where every business and institution is transforming itself into a data-savvy entity. As a result, dealing with large amounts of data has become necessary. The CSV (Comma-Separated Values) format is one of the most frequent ways to store data efficiently. Importing a large CSV file directly into a Python script can cause an 'Out of memory' error or a system crash owing to a lack of RAM. The internet has plenty of tips and strategies for reading large CSV files at once, such as defining the chunksize of the data in the pd.read csv() command or utilising Dask dataframes or Datatables. After extensive testing and hours spent developing the best code to read massive quantities of data, I personally believe that all of these solutions have some form of barrier at some point of time. For example, defining chunksize and breaking the data into chunks necessitates an extra step of concatenating the data into one dataset, which takes almost as long as simply reading the data. And the first obstacle with Dask dataframes is specifying the dtype for all of the columns (even when there are 200+ columns); second, dealing with Dask dataframes is not as straightforward as working with Pandas dataframes. Following extensive research, one feasible and efficient method for reading large dataframes is to not read them all at once. This leads us to the concept of 'Structurization.' Most datasets can be divided into subsets based on the year, quarter, month, day, or any other criterion. Creating subsets while saving the data according to the datetime column makes it very simple to read and concatenate the required data. Amongst the various ways to create subsets of a dataset, one very efficient way is described below: 1. From the timestamp column in dataframe, create a new column of just the Year (or Month, or Date): df['year'] = df['timestamp'].dt.year df['month'] = df['timestamp'].dt.month df['date'] = df['timestamp'].dt.date 2. Use groupby function on one of the columns that you created above: grouped_df = df.groupby('year') 3. Using for-loop, you can print all of the data-frame groups created and their shape: for name, group in grouped_df: print(str(name)) print(group.shape) 4. To save the subsetted groups as CSV in a folder, use the same for-loop as above and specify the folder path: output_folder_path = "C:\\Users\\ABC\\year_wise_files\\" for name, group in grouped_df: output_file = str(name) + '.csv' output_dir = Path(output_folder_path) output_dir.mkdir(exist_ok=True) group.to_csv(output_dir/output_file)

What is GDPR? The European Union (EU), 20 years ago through the Data Protection Directive 95/46/EC introduced its data protection standard. Since the European Union needs each member state to implement a directive into national law, Europe ended up with a patchwork of different privacy laws across different countries. Additionally, increasing security breaches, rapid technological developments, and globalisation over the last 20 years saw new challenges for the protection of personal information come to the forefront. In order to address this situation, the EU developed the GDPR, which is directly applicable as law across all member states. What is India’s PDPB? India's Personal Data Protection Bill (PDPB) is one of the most comprehensive data privacy laws in the world. The Personal Data Protection Bill (PDPB) will impose obligations on practically all businesses operating in India. PDPB requires businesses to reassess all of the company's data processing practices, policies, and safeguards. Why does GDPR and India’s PDPB matter? With the increase in user-generated data and the exponential industrial value of data, it’s becoming vital that necessary steps are being taken to protect the data rights of the citizens. Data protection regulations ensure the security of individuals’ personal information and regulate the collection, usage, transfer, and disclosure of the said data. They also provide access to data of the individuals and place accountability measures for organisations processing personal data information and supplements it by providing remedies for unauthorised and harmful processing. Privacy laws like the EU’s General Data Protection Regulation (GDPR), and India’s PDPB have changed two things: They acknowledge that devices like smartphones are an intrinsic part of a person’s identity, and hence, any data and information that can be used to profile an individual comes under the ambit of laws; and These laws articulate what is consent and that it should be free, informed, specific, clear, and capable of being withdrawn. How is Com Olho GDPR and India's PDPB compliant? Privacy, security and protection of the customer data are shared responsibilities between the clients and Com Olho. This shared responsibility in the context of the General Data Protection Regulation (GDPR) is defined by two key actors: Data Controller: Determines how personal data information is processed and the purposes for which it's processed. Data Processor: An entity that maintains and processes personal data records only at the controller’s command. India's Personal Data Protection Bill (PDPB) scope is broader than General Data Protection Regulation (GDPR). PDPB regulates the processing of personal data by the state, any citizen of India, or any individual or body incorporated or created under Indian law. Com Olho ensures that the data rights access fulfilment — and automate processes for client’s individual requests. Under India's PDPB, data principles receive certain rights similar to those covered by GDPR. These data rights include: – the right to access data – the right to correction – the right to data portability – the right to erasure – the right to be forgotten Accelerate your path to GDPR and India's PDPB compliance with Com Olho Com Olho is committed to help businesses develop a strategy to achieve GDPR security and India’s PDPB compliance. We give our clients a SaaS advantage by offering service that is designed to be secure at every layer—for their entire business. Managing your business’s data is easier when there is one centralised location you can trust for storing it, instead of it being spread across a range of different storage media and what better source you can trust than your own server. Com Olho stores and maintains the clients data by deploying AI agents on the clients server itself. This reduces the risk of data theft/manipulation and offers simplicity, with a single set of policies and standards for your business processes. Our intelligent and secure service- lightens the load for administrators and users alike, allowing you to focus more on your business. In a constantly changing regulatory landscape, Com Olho can help your organisation address regulatory compliance more efficiently and easily. Businesses all over the world are focusing on ensuring their systems, processes, and policies support GDPR and India’s PDPB guidelines. All their teams continue to be tasked with implementing changes in the way they manage processes, people, and technical controls in order to comply with the legislation. Com Olho welcomes the positive changes the GDPR and India’s PDPB has brought to our services and we remain committed to helping our clients address GDPR and India’s PDPB requirements that are relevant to our services.

When I was looking for an internship, I was looking for a challenge. A place where I could learn a lot, gain real-life experience in order to prepare myself for the corporate world. I came across Com Olho on LinkedIn and I knew that it’s exactly the place I was looking for. I joined Com Olho as the Technical Intern, where I could get to work on the hottest technologies like Cloud & DevOps. My job responsibilities here are diverse. To put it into perspective, there is always an opportunity to dive deep into things and find a unique solution to the problem and I can say that I have groomed myself a lot during this internship, also, I’ve developed a lot of confidence in my skill set. I’m a Edureka Certified DevOps Engineer. I am passionate about ‘Technology’, because technology has the ability to impact lives at a level and scale that has never been realized in the history of mankind. The idea that something I create can impact someone across the world now, or in the future is what drives my passion for technology. I enjoy nothing more than learning the trends that technology is taking in order to work more efficiently and see progress and success. The internship gave me the opportunity to put into practice a lot of disciplines I had previously only studied conceptually. It really has broadened my horizons and given me a better understanding of why we study certain things and their relevance in the industry. I am thankful for having this wonderful opportunity and would like to express my gratitude towards Com Olho team members for helping me learn every day. I cannot wait to explore even more in this company in the future. This internship has been such an amazing journey of learning, sharing, and presenting my knowledge and skills. Connect with me on LinkedIn : Link

As of March 2021, one in three websites on the internet runs on Nginx, according to a web survey by Netcraft. Nginx web server powers high performance applications in a responsive, efficient manner and is useful for load balancing, HTTP caching, mail proxying, and reverse proxying. With the ability to handle 40,000 inactive HTTP connections with just 10Mb of memory, it is the go-to choice for high-traffic sites. This blog will cover the hardening tips to improve your cybersecurity posture. Step 1. Disable Any Unwanted nginx Modules When you install nginx, it automatically includes many modules. Currently, you cannot choose modules at runtime. To disable certain modules, you need to recompile nginx. It’s recommend to disable any modules that are not required as this will minimize the risk of potential attacks by limiting allowed operations. To do this, use the configure option during installation. In the example below, we disable the autoindex module, which generates automatic directory listings, and then recompile nginx. # ./configure --without-http_autoindex_module # make # make install Step 2. Disable nginx server_tokens By default, the server_tokens directive in nginx displays the nginx version number. It is directly visible in all automatically generated error pages but also present in all HTTP responses in the server header. This could lead to information disclosure – an unauthorized user could gain knowledge about the version of nginx that you use. You should disable the server_tokens directivr in the nginx configuration file by setting server_tokens off. Step 3. Control Resources and Limits To prevent potential DoS attacks on nginx, you can set buffer size limitations for all clients. You can do this in the nginx configuration file using the following directives: • client_body_buffer_size – use this directive to specify the client request body buffer size. The default value is 8k or 16k but it is recommended to set this as low as 1k: client_body_buffer_size 1k. • client_header_buffer_size – use this directive to specify the header buffer size for the client request header. A buffer size of 1k is adequate for most requests. • client_max_body_size – use this directive to specify the maximum accepted body size for a client request. A 1k directive should be sufficient but you need to increase it if you are receiving file uploads via the POST method. • large_client_header_buffers – use this directive to specify the maximum number and size of buffers to be used to read large client request headers. A large_client_header_buffers 2 1k directive sets the maximum number of buffers to 2, each with a maximum size of 1k. This directive will accept 2 kB data URI. Step 4. Disable Any Unwanted HTTP methods We suggest that you disable any HTTP methods, which are not going to be utilized and which are not required to be implemented on the web server. If you add the following condition in the location block of the nginx virtual host configuration file, the server will only allow GET, HEAD, and POST methods and will filter out methods such as DELETE and TRACE. location / { limit_except GET HEAD POST { deny all; } } Another approach is to add the following condition to the server section (or server block). It can be regarded as more universal but you should be careful with if statements in the location context. if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } Step 5. Install ModSecurity for Your nginx Web Server ModSecurity is an open-source module that works as a web application firewall. Its functionalities include filtering, server identity masking, and null-byte attack prevention. The module also lets you perform real-time traffic monitoring. We recommend that you follow the ModSecurity manual to install the mod_security module in order to strengthen your security options. Step 6. Set Up and Configure nginx Access and Error Logs The nginx access and error logs are enabled by default and are located in logs/error.log and logs/access.log respectively. If you want to change the location, you can use the error_log directive in the nginx configuration file. You can also use this directive to specify the logs that will be recorded according to their severity level. For example, a crit severity level will cause nginx to log critical issues and all issues that have a higher severity level than crit. To set the severity level to crit, set the error_log directive as follows: error_log logs/error.log crit; Step 7. Monitor nginx Access and Error Logs If you continuously monitor and manage nginx log files you can better understand requests made to your web server and also notice any encountered errors. This will help you discover any attack attempts as well as identify what can you do to optimize the server performance. You can use log management tools, such as logrotate, to rotate and compress old logs and free up disk space. Also, the ngx_http_stub_status_module module provides access to basic status information. You can also invest in nginx Plus, the commercial version of nginx, which provides real-time activity monitoring of traffic, load, and other performance metrics. Step 8. Configure Nginx to Include Security Headers To additionally harden your nginx web server, you can add several different HTTP headers. Here are some of the options that we recommend. X-Frame-Options You use the X-Frame-Options HTTP response header to indicate if a browser should be allowed to render a page in a or an

As of March 2021, one in three websites on the internet runs on Nginx, according to a web survey by Netcraft. Nginx web server powers high-performance applications in a responsive, efficient manner and is useful for load balancing, HTTP caching, mail proxying, and reverse proxying. With the ability to handle 40,000 inactive HTTP connections with just 10Mb of memory, it is the go-to choice for high-traffic sites. This blog will cover the Common Nginx misconfigurations that leave your web server open to attack. Common Nginx Misconfigurations 1. Passing Uncontrolled Requests to PHP Most Nginx example configs for PHP advocate for passing every URI ending in .php to the PHP interpreter which could result in arbitrary code execution by third parties on most PHP setups. In this example, all requests that the .php file extension will be passed to the FastCGI backend. A default PHP configuration is set so that it attempts to guess the file you want to execute in cases where the full path specified does not lead to a file that exists on the system. Let's say you request for /cyber/security/nginx.php, which does not exist while /cyber / security /nginx.gif actually does exist; the PHP interpreter will process /cyber / security /nginx.gif. If nginx.gif contains embedded PHP code, it will execute. 2. Alias LFI Misconfiguration Inside the Nginx configuration look the "location" statements, if someone looks like: There is a LFI vulnerability because: Transforms to: The correct configuration will be: So, if you find some Nginx server you should check for this vulnerability. Also, you can discover it if you find that the files/directories brute force is behaving weird. 3. Missing Root Location The root directive is positioning in your configuration matters. One of the Nginx configuration pitfalls that administrators are strongly warned against is putting the root directive inside location blocks. If you add root to every location block individually, then an unmatched location block will lack root, which would cause errors. Conversely, failure to put the root directive in a location block would give access to the root folder of the server block. In the above example, the root folder is /etc/nginx/app meaning that files in this folder are available to us. However there is no location for / i.e location / { } but only for /cybersecurity.jpeg. As such, a request like GET ../nginx.conf would show the content of the config file etc/nginx/nginx.conf As such, requests to / will take you to the path specified in the root directive which is globally set. The most common root paths were the following: 4. Using non-standard document root locations Deviating from the standard root document locations laid out in the Filesystem Hierarchy Standard might seem like a fun idea sometimes. That is of course until someone requests for a file they should not be able to access and you end up getting compromised. In the above example, a request for /etc/passwd would reveal your etc/passwd file meaning attackers would have your user list and password hashes and if your Nginx workers run as root, how your passwords have been hashed as well. 5. Unsafe variable use Some frameworks, scripts and Nginx configurations unsafely use the variables stored by Nginx. This can lead to issues such as XSS, bypassing HttpOnly-protection, information disclosure and in some cases even RCE. SCRIPT_NAME With a configuration such as the following: The main issue will be that Nginx will send any URL to the PHP interpreter ending in .php even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “Pitfalls and Common Mistakes” document created by Nginx. An XSS will occur if the PHP-script tries to define a base URL based on SCRIPT_NAME USAGE OF $URI CAN LEAD TO CRLF INJECTION Another misconfiguration related to Nginx variables is to use $uri or $document_uri instead of $request_uri. $uri and $document_uri contain the normalized URI whereas the normalization in Nginx includes URL decoding the URI. Volema found that $uri is commonly used when creating redirects in the Nginx configuration which results in a CRLF injection. An example of a vulnerable Nginx configuration is: The new line characters for HTTP requests are \r (Carriage Return) and \n (Line Feed). URL-encoding the new line characters results in the following representation of the characters %0d%0a. When these characters are included in a request like http://localhost/%0d%0aDetectify:%20clrf to a server with the misconfiguration, the server will respond with a new header named Detectify since the $uri variable contains the URL-decoded new line characters. 6. Raw backend response reading With Nginx’s proxy_pass, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this: And with the following directives in Nginx: proxy_intercept_errors will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a 500 Error which would be intercepted by Nginx. proxy_hide_header is pretty much self explanatory; it will hide any specified HTTP header from the client. If we send a normal GET request, Nginx will return: But if we send an invalid HTTP request, such as: We will get the following response:

Fresh orders are the delight of every seller. They are what you practically work for and a new order gives your brand the hope it needs. But what if you encounter fake orders? In a brick and mortar store, you must be mindful of those with less than honourable intentions, filling their pockets with your products, and then making off without paying. As an online business, you might think that you are immune from stealing – however the sad reality is that there are lots of people out there who are trying to do the very same thing. Perhaps even more so, given the benefit of committing a crime from a distance. As your business grows bigger and bigger online, fraud should be the one thing that you monitor on an increasingly frequent basis. Fake orders are the ones that have been placed with the intention of defrauding the seller. If left unchecked, fraudulent orders can cost you tens of thousands of dollars or more, easily. Most of the customers in India prefer COD (Cash on Delivery) as a payment mode because they find it much more trustworthy than paying online. This is the reason that criminals place fake orders. Even if your customer is providing you a valid billing address, even then there are high chances of fraudulent orders. That’s why you need to be on top of a few precautions before accepting any order. Here are a few of them: 1.Verify and Contact through Email to Check if the Email Id is Authentic Verify your customer’s email ID. Most fraudulent customers use fake email IDs to place an order. If you email them and they don’t reply, it means it’s a fake order. 2.Call Them to Double Check This is the quickest way to verify someone is who they say. You can call the customer to double-check the information they have provided about themselves. If the number is unavailable, not reachable or the customer seems hesitant to comply with you, it means there is something fishy. 3.Confirm Order Before Shipping it It is always better to get in touch with your customer via phone or email and confirm once they want the order to be delivered. This way you are sure if the order must be shipped or not. Just in case they do not reply you must immediately cancel the order. 4.Delay the shipment Scammers want their operations to be completed as quickly as possible in order to decrease the chances of getting caught. If you delay a shipment deliberately, and tell them as much, it may scare them off. This is an inconvenience to honest shoppers, thus only use it if you have to. 5.Use A Security Software Software ensures a good level of security for your brand. It permits you to impose several layers of security and makes sure that your customer is authentic and has the right intent. Once your customers clear all security steps, it’s safe for you to interact with them and ship their order. The issue of fake orders isn’t only because of Cash on Delivery orders but also on prepaid orders. Here are few ways to find and prevent fake orders online using a credit or a debit card: 1.Verify the CVV code There is a three-digit code on the back of the debit card, and it is a security measure to prevent cases of electronic credit card theft. If the numbers do not match then it’s most likely a case of fraudulent order, and such an order shouldn’t be accepted. 2.Verify the Address via an AVS system Many people ship the product to a set number of addresses like their workplace or their personal home and those addresses are recorded in your account that you have set up with the portal. This system shouldn’t be viewed strictly as its results could be false positive too. Hence, this method should be used as a guideline. Maximum customers in India prefer COD (Cash on Delivery) that makes it very hard for sellers to differentiate between fake and real orders. Although the above steps are useful in avoiding fake orders, you don’t have the time to do all this for each and every order, hence a good start is to develop your instincts. Learn to identify and spot suspicious orders early, and if something seems off to you — even just a little — by all means, don’t ignore it.

We are very familiar with spotting advertisements while playing games on the mobile phone. Also, some games even lure customers to watch some advertisements for some extra points. In-game advertising is a very common form of digital media that has continued to raise with the rise of the programmatic industry. And throughout history there have been people who try to exploit these flows through illicit activities where there is potential for profit. The game developers are usually in no way responsible for this fraudulent activity and probably do not even know about it. What is Mobile Ad fraud? Mobile advertisement fraud is the effort to deceive advertisers, publishers, or delivery partners by abusing cell phone advertising know-hows. The aim of scammers is to steal advertising budgets. Types of mobile phone ad fraud include click spam, click injection, and SDK spoofing. Mobile phone ad fraud can take many forms, from fake impressions, click spam, or fake installs. Fraudulent publishers looking to take advantage of fake impressions can, for example, stick ads in a single pixel or deliberately place an ad out of sight to generate views or impressions that never occurred. Gaming apps are now replacing more conventional forms of entertainment and in-app advertising is widely used. Mobile games have a high level of participation and scammers are attracted because consumers are exposed to the ads for longer. However, the biggest challenge marketers’ face with digital ad fraud is not knowing exactly how big the problem is. And the risk continues to grow. What are some commonly used Mobile Ad fraud indicators? Mobile ad fraud has its own ciphers and signs that can be used to rank and eradicate operators. Inconsistencies in user behaviour, system sensors, and more can be discovered using data obtained from attribution providers. This also helps to recognise activity patterns and highlight conspicuous behaviours. A larger record helps identify fraudulent patterns better and faster. These are some of the indicators: New Device Rate (NDR) is the percentage of new devices that download an application through an advertiser. It is important to monitor NDR activity as this rate is determined by the new measured device IDs. When a different user installs an app or an existing user changes a device, it can be influenced by device ID rearrange fraud tactics. Ad tracking limits give users control over the amount of information advertisers can obtain about the operation of their devices. Scammers use it to cover their plans on their smartphones, but this only applies to Google and iOS advertisers. Click to Install Time (CTIT), as the term suggests, can be used to identify various cases of click-based fraud, such as the user's first advertising interaction or the first time an application is opened. Artificial intelligence helps recognise occurrences that humans cannot track. A fraud recognition resolution in amalgamation with a gigantic mobile attribution list together with machine learning algorithms confirms competent fraud detection. Device Sensors is a biometric behaviour analysis based on hundreds of sensor indicators from the device's battery level to its angle and more. These indicators help create a profile for each facility that analyses the device and user behaviour of each facility and its compatibility with normal trends measured with real users. Conversion rates are the percentage of ad impressions that convert to clicks that generate installs and installs from active users. Knowing an advertiser's expected conversion rates in advance at any point in the customer experience helps prevent fraud. To understand the basics of ad fraud in gaming, we need to first look at why and how advertising is incorporated in gaming: 1. The concept of earning virtual currency: Many games allow users to earn virtual money or credits to purchase in-game items. Some ad technology vendors who are always on the lookout for an attentive audience, have developed a simple media delivery model that takes advantage of this component. Players can easily earn virtual rewards or currency by interacting with paid advertising. 2. The ability of participants to configure game servers Players (and others) who configure their own servers to host these types of games can add plugins, invite others to join, and perform a variety of other game-related tasks. Game - including enabling a rewards offer announcement. 3. The game’s chat functionality A player who wants to see paid ads to redeem rewards will send these messages through chat which forwards a request to the server serving the ad. It was discovered that a bot was being deployed to consume these ads, using actual player IDs that never invoked the required commands. 4. How to combat ad fraud in the gaming industry? To efficiently fight ad fraud, exclusively in the gaming arena, marketers must understand that scammers are smart and always one step ahead of us. They are innovative, creative, and constantly improving their tools. Any form of ad fraud leads to a decrease in digital trust. Timely action is essential to prevent mobile ad fraud and regain trust in the digital community. Therefore, marketers must be armed with an unconventional and chic mobile ad fraud solution and be careful at every step of the customer journey. This will ensure that new and existing fraudulent practices are identified and blocked, and that mobile campaigns generate business results. How Marketers can act? An online marketing campaign of any size requires a strong and stable infrastructure and an adaptive approach to detect and block new and existing fraud methods. Advertisers that rely on re-marketing are at great risk of hijacking. Any marketer's campaign plan must consider this risk. More transparency, analytics, and answerability are essential to tackle mobile ad fraud with a 360-degree security approach, and robust reassignment is essential to detect fraud at all levels. Daily campaign tracking, cost per acquisition (CPA), and the help of a trusted partner can work together to help a marketer identify and protect against the negative effects of cell phone ad fraud. Fraud is based on ROI. The more steps marketers take, the greater the chances of reducing fraudulent attacks.