Researchers from White Ops have detailed what they described as “the largest and widest Connected TV (CTV) related fraud operation to date”. Dubbed ICEBUCKET, at its peak the bot operation impersonated more than 2 million people in over 30 countries.
The ICEBUCKET operation involved cyber crooks using software bots to trick advertisers into thinking there were real viewers watching their ads on the other side of the smart TV screen. Using this tactic the fraudsters fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.
“The operation counterfeited over 300 different publishers, stealing advertising spend by tricking advertisers into thinking there were real people on the other side of the screen, when in reality, these were bots pretending to be real people watching TV. The operation hid its sophisticated bots within the limited signal and transparency of server side ad insertion (SSAI) backed video ad impressions,” the researchers said.
While it is unclear how much money advertisers have lost to the ICEBUCKET scam, White Ops said that the operation mimicked SSAI servers by generating traffic for fictional edge devices (specifically CTV and mobile devices) into the ad tech ecosystem using more than 1,000 different user-agents (around 500 of which only appeared in this operation), over 300 different appIDs from various publishers, more than 2 million spoofed IP addresses from 30+ countries with majority of IP addresses located in the US, and about 1,700 SSAI server IPs located in 9 countries were used to generate traffic.
In January, 28% of the CTV traffic White Ops observed (some 1.9 billion ad requests per day) came from ICEBUCKET, the researchers said.
In order to hide their bots ICEBUCKET operators used a method called server side ad insertion (SSAI) designed to create a better end-user ad experience.
“Ads are “stitched” into the fabric of video content so that there aren’t delays or hiccups caused by launching an ad player. SSAI is commonly used for advertising on several “edge” device types, such as CTVs, smart phones, gaming consoles, and others. Delivering video ad content through SSAI offers advertisers many benefits, including user personalization and latency reduction,” the researchers explained.
However, scammers have found a way to spoof edge devices to replicate SSAI services. SSAI spoofing involves fraudsters sending out ad requests from data centers (expected for real SSAI providers) for “spoofed” or faked edge devices. But, rather than show the ads to humans, the fraudsters call the reporting APIs indicating the ad has been “shown”.
“ICEBUCKET is an ongoing operation. The volumes have not gone down to zero. Since CTV and SSAI spoofing are currently lucrative options for our adversaries due to the high [ad rates] on CTV consumers, we expect to see similar operations start, or that existing operations may shift from web and mobile toward CTV traffic,” White Ops researchers concluded.