Massive Bot-Enabled Ad Fraud Campaign Targeted Connected TVs

ICEBUCKET operation is the largest ever to attempt to steal from advertisers by using bots to impersonate human smart-TV viewers, White Ops says.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Researchers at White Ops have uncovered what they described this week as the largest-ever ad fraud operation to date associated with connected TVs (CTVs).

The so-called ICEBUCKET operation basically involved scammers using software bots to trick advertisers into thinking there were real people watching their ads on the other side of the smart TV screen. By using bots to impersonate human beings, the scammers fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.

Michael Moran, a member of the detection team at White Ops, says it's unclear how much money advertisers might have lost to the ICEBUCKET scam. But at its peak, the bot operation impersonated more than 2 million people from over 30 countries. Some 99% of the spoofed IPs used in the campaign are located in the US, White Ops said.

At one point nearly 28% of the CTV traffic that White Ops has visibility into in January — or some 1.9 billion ad requests per day — came from ICEBUCKET. The operation is still ongoing but at a substantially lower volume compared to January.

One reason why ICEBUCKET has been so successful is because it uses an ad insertion method called server side ad insertion (SSAI) to hide its bots, White Ops said.

"SSAI is a method to include video advertisements within a video content stream," Moran says. Unlike client-side ad insertion where ads are inserted by the actual device that is being used to watch a video, with SSAI a server within a data center inserts ads into the video stream and delivers it to the edge device.

Typically advertisers target audiences based on factors like location, time of day, estimated income, and their likelihood of buying their product. Advertisers consider CTVs to be premium inventory because of a higher likelihood of their ads actually being viewed, Moran says.

"SSAI is a more opaque part of the ad ecosystem, since the server is acting on behalf of the edge devices and many verification tags will run on the server instead of the edge device," Moran notes. With the ICEBUCKET operation, the attackers used some 1,700 intermediate SSAI servers under their control to send ads to fake and spoofed CTVs. The attackers also copied certain standards used to identify SSAI traffic to make it appear more legitimate, he says.

ICEBUCKET used virtual private servers within various data centers that appeared to be located on a small number of network segments in nine countries. "We postulate that they either purchased access to those servers or used lower security on those servers to insert their own code on the servers to run," Moran says.

In its report on the operation, White Ops theorized that the ICEBUCKET attackers used those particular networks either because they were cheap, the network operators had lax security standards, or large number of systems hosted on those segments were vulnerable to attack.

According to the vendor, the operators of the ICEBUCKET scam also appeared to be making some extra revenue by delivering ad-fraud-as-a-service to many application publishers. "We've observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic," White Ops said in its report.

Opaque Supply Chain
It's hard to say who exactly is making money from such fraud, Moran notes. Within an ad request are parameters that specify which companies are involved in the actual transaction. This can include the ad exchange, the publisher ID, and the app ID itself. The parameters can help identify which companies are making money off fraudulent ad requests, he says.

"[But] this supply chain is somewhat opaque, which is why we are advocating for stronger adoption of standards such that will provide clarity and transparency into who is making money across the ecosystem," he notes.

Digital ad fraud continues to cost advertisers billions of dollars annually. A large portion of the fraud is being enabled through the use of bots and botnets to impersonate human actions, such as clicking on an ad to boost page views. A study last year by White Ops and the Association of National Advertisers (ANA) found that fraud attempts accounted for up to 35% of all ad impressions annually.

However, as high as the fraud numbers are, they are declining. White Ops and ANA found that new bot detection technologies and a higher overall awareness of ad fraud tactics had resulted in digital ad fraud dropping from $6.5 billion in 2017 to $5.8 billion between 2018 and 2019.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Which InfoSec Jobs Will Best Survive a Recession?"

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights