Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/16/2020
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Bot-Enabled Ad Fraud Campaign Targeted Connected TVs

ICEBUCKET operation is the largest ever to attempt to steal from advertisers by using bots to impersonate human smart-TV viewers, White Ops says.

Researchers at White Ops have uncovered what they described this week as the largest-ever ad fraud operation to date associated with connected TVs (CTVs).

The so-called ICEBUCKET operation basically involved scammers using software bots to trick advertisers into thinking there were real people watching their ads on the other side of the smart TV screen. By using bots to impersonate human beings, the scammers fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.

Michael Moran, a member of the detection team at White Ops, says it's unclear how much money advertisers might have lost to the ICEBUCKET scam. But at its peak, the bot operation impersonated more than 2 million people from over 30 countries. Some 99% of the spoofed IPs used in the campaign are located in the US, White Ops said.

At one point nearly 28% of the CTV traffic that White Ops has visibility into in January — or some 1.9 billion ad requests per day — came from ICEBUCKET. The operation is still ongoing but at a substantially lower volume compared to January.

One reason why ICEBUCKET has been so successful is because it uses an ad insertion method called server side ad insertion (SSAI) to hide its bots, White Ops said.

"SSAI is a method to include video advertisements within a video content stream," Moran says. Unlike client-side ad insertion where ads are inserted by the actual device that is being used to watch a video, with SSAI a server within a data center inserts ads into the video stream and delivers it to the edge device.

Typically advertisers target audiences based on factors like location, time of day, estimated income, and their likelihood of buying their product. Advertisers consider CTVs to be premium inventory because of a higher likelihood of their ads actually being viewed, Moran says.

"SSAI is a more opaque part of the ad ecosystem, since the server is acting on behalf of the edge devices and many verification tags will run on the server instead of the edge device," Moran notes. With the ICEBUCKET operation, the attackers used some 1,700 intermediate SSAI servers under their control to send ads to fake and spoofed CTVs. The attackers also copied certain standards used to identify SSAI traffic to make it appear more legitimate, he says.

ICEBUCKET used virtual private servers within various data centers that appeared to be located on a small number of network segments in nine countries. "We postulate that they either purchased access to those servers or used lower security on those servers to insert their own code on the servers to run," Moran says.

In its report on the operation, White Ops theorized that the ICEBUCKET attackers used those particular networks either because they were cheap, the network operators had lax security standards, or large number of systems hosted on those segments were vulnerable to attack.

According to the vendor, the operators of the ICEBUCKET scam also appeared to be making some extra revenue by delivering ad-fraud-as-a-service to many application publishers. "We've observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic," White Ops said in its report.

Opaque Supply Chain
It's hard to say who exactly is making money from such fraud, Moran notes. Within an ad request are parameters that specify which companies are involved in the actual transaction. This can include the ad exchange, the publisher ID, and the app ID itself. The parameters can help identify which companies are making money off fraudulent ad requests, he says.

"[But] this supply chain is somewhat opaque, which is why we are advocating for stronger adoption of standards such that will provide clarity and transparency into who is making money across the ecosystem," he notes.

Digital ad fraud continues to cost advertisers billions of dollars annually. A large portion of the fraud is being enabled through the use of bots and botnets to impersonate human actions, such as clicking on an ad to boost page views. A study last year by White Ops and the Association of National Advertisers (ANA) found that fraud attempts accounted for up to 35% of all ad impressions annually.

However, as high as the fraud numbers are, they are declining. White Ops and ANA found that new bot detection technologies and a higher overall awareness of ad fraud tactics had resulted in digital ad fraud dropping from $6.5 billion in 2017 to $5.8 billion between 2018 and 2019.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Which InfoSec Jobs Will Best Survive a Recession?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...