User risk factors

How NS8 classifies users by risk type.

These are the factors used to determine the suspicion level of a user. Although a user may have more than one risk factor associated with their behavior, NS8 will often refer to the primary risk factor of a user. The primary risk factor carries the greatest weight out of all the factors linked to that user.

Risk Factor


Why is this a Risk?


No user risk was associated with the session.


The user’s IP address is originating from a colocation data center. Data centers are shared computing systems that lease space to remote customers. NS8 maintains a database of data center IP address ranges.

Colocation presents a risk because data centers are a favored location of bot networks. Traffic originating from a data center is more likely to be a bot than human, as data centers are secured locations where humans are typically not allowed access. For example, a session coming from an Amazon Web Services data center address block is unlikely to be a valid human user.

Public Proxy

A proxy server acts as a substitute, or hub, for a user’s internet traffic. They are commonly used to anonymize a user or hide their identity. Proxy servers are also commonly referred to as VPN services.

Proxy servers are often used to obfuscate a user’s location or identity. This makes it difficult to differentiate fraudsters from legitimate traffic. It is not a common practice for consumers to use a proxy service to mask their identity.


TOR, short for The Onion Router, is a protocol developed to anonymize web traffic and protect a user’s identity. Legitimate users include whistleblowers, law enforcement, and users in censored countries.

Fraudsters can use TOR to conceal their location and usage information from anyone conducting network surveillance or traffic analysis. Most consumers do not normally try to hide their identity with TOR, making its use suspicious in ecommerce.


Traffic originating from a university network carries a higher risk of fraud than other internet traffic.

Networks at universities have large user pools with constantly-changing information, making them a preferred hiding place of fraudsters. Also, universities historically have higher rates of transaction fraud.

Publisher Collusion

This is the same IP address showing up on several sites that are owned by the same publisher, at a frequency beyond normal human activity.

Publishers that buy bot traffic will spread the traffic across an array of websites.

Fast Click

By measuring the speed between clicks on a website, non-human traffic can be detected.

Because bots are computer programs that perform repeatable actions, precise repetition of activity is an indication of non-human traffic. A human user will have variations in click timing and patterns and not act with inhuman precision.

User ID Rotation

When the same IP address is used for multiple sessions with varying user IDs.

The normal relationship between a user’s IP address and an ecommerce account are one to one. While occasionally a consumer may have multiple IPs, a significant quantity is a fraud indicator.

User Agent Rotation

The User Agent String for traffic coming from the same IP address changing from session to session.

As new sessions are initiated, bots will use rotating details (like browser type or operating system) to try to pass as legitimate human traffic. However, it’s highly unlikely that a real user’s IP address will have continually-changing user agent details, since real people tend to use the same devices regularly.

Note: This can happen when users are behind a large organization's proxy. Therefore, it must be an abnormally high session count to qualify as suspicious.

Keyword Collusion

Unusually large amounts of matching keyword referrals with similar identifiers, such as IP Address or destination.

Keyword patterns associated with large amounts of traffic are key indicators of click farms and bot traffic.

Known Bot

NS8 maintains a database of known bot traffic sources.

Known sources of bots are most likely to be sources of bot traffic in the future.

Spoofed User Agent

The User Agent String is identified as being fraudulent. NS8 can detect characteristics of a user and compare them to the browser's user agent string.

If the user agent string is faked, the likelihood of traffic driven by a fraudulent user is high. The technical lift and lack of benefits for a legitimate users makes it unlikely that a real user will modify the user agent string.


Browsers report the viewability of a session or advertisement. Unviewable sessions will be minimized, briefly visible, or possibly originate from a headless browser.

Real traffic requires the ability to view a webpage to navigate the site, view ads, and make purchases. If the session is unviewable, the traffic is likely from a bot.

Cookie Rotation

To avoid detection fake traffic will rotate referrer cookies to appear human.

Because the same I.P. address, or other identifier, is recorded with multiple cookies a high level of suspicion is assigned because the normal relationship between user and cookie would be one to one.

Click Count

By measuring the quantity of clicks in a session, non-human traffic can be detected. A variance from normal human activity will indicate the user is a bot.

If actions are performed by a script, the number of clicks can be extremely low (by avoiding clicks with code) or extremely high (if the bot navigates poorly). Either of these can indicate suspicious activity.

Invalid Search

When users begin a session with a website, details regarding how traffic found the website are transmitted to the website. Published structures of this data are provided by search engines like Google, making it difficult to accurately fake search data. This traffic can also be made up of referrals from an inactive search engine, like

When the search details of a visitor origins are wrong, the traffic can be identified as invalid.

Blacklisted Referrer

NS8 maintains a blacklist of traffic referrers that are known sources of bad traffic, like bot and click farms.

Traffic from known bad reference sources is considered invalid.

Spam Bot

Bots that crawl websites to steal information to add to spam lists, like email addresses or phone numbers.

Spam Bots serve no purpose other than to steal information to add to spam lists.