Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/16/2020
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Bot-Enabled Ad Fraud Campaign Targeted Connected TVs

ICEBUCKET operation is the largest ever to attempt to steal from advertisers by using bots to impersonate human smart-TV viewers, White Ops says.

Researchers at White Ops have uncovered what they described this week as the largest-ever ad fraud operation to date associated with connected TVs (CTVs).

The so-called ICEBUCKET operation basically involved scammers using software bots to trick advertisers into thinking there were real people watching their ads on the other side of the smart TV screen. By using bots to impersonate human beings, the scammers fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.

Michael Moran, a member of the detection team at White Ops, says it's unclear how much money advertisers might have lost to the ICEBUCKET scam. But at its peak, the bot operation impersonated more than 2 million people from over 30 countries. Some 99% of the spoofed IPs used in the campaign are located in the US, White Ops said.

At one point nearly 28% of the CTV traffic that White Ops has visibility into in January — or some 1.9 billion ad requests per day — came from ICEBUCKET. The operation is still ongoing but at a substantially lower volume compared to January.

One reason why ICEBUCKET has been so successful is because it uses an ad insertion method called server side ad insertion (SSAI) to hide its bots, White Ops said.

"SSAI is a method to include video advertisements within a video content stream," Moran says. Unlike client-side ad insertion where ads are inserted by the actual device that is being used to watch a video, with SSAI a server within a data center inserts ads into the video stream and delivers it to the edge device.

Typically advertisers target audiences based on factors like location, time of day, estimated income, and their likelihood of buying their product. Advertisers consider CTVs to be premium inventory because of a higher likelihood of their ads actually being viewed, Moran says.

"SSAI is a more opaque part of the ad ecosystem, since the server is acting on behalf of the edge devices and many verification tags will run on the server instead of the edge device," Moran notes. With the ICEBUCKET operation, the attackers used some 1,700 intermediate SSAI servers under their control to send ads to fake and spoofed CTVs. The attackers also copied certain standards used to identify SSAI traffic to make it appear more legitimate, he says.

ICEBUCKET used virtual private servers within various data centers that appeared to be located on a small number of network segments in nine countries. "We postulate that they either purchased access to those servers or used lower security on those servers to insert their own code on the servers to run," Moran says.

In its report on the operation, White Ops theorized that the ICEBUCKET attackers used those particular networks either because they were cheap, the network operators had lax security standards, or large number of systems hosted on those segments were vulnerable to attack.

According to the vendor, the operators of the ICEBUCKET scam also appeared to be making some extra revenue by delivering ad-fraud-as-a-service to many application publishers. "We've observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic," White Ops said in its report.

Opaque Supply Chain
It's hard to say who exactly is making money from such fraud, Moran notes. Within an ad request are parameters that specify which companies are involved in the actual transaction. This can include the ad exchange, the publisher ID, and the app ID itself. The parameters can help identify which companies are making money off fraudulent ad requests, he says.

"[But] this supply chain is somewhat opaque, which is why we are advocating for stronger adoption of standards such that will provide clarity and transparency into who is making money across the ecosystem," he notes.

Digital ad fraud continues to cost advertisers billions of dollars annually. A large portion of the fraud is being enabled through the use of bots and botnets to impersonate human actions, such as clicking on an ad to boost page views. A study last year by White Ops and the Association of National Advertisers (ANA) found that fraud attempts accounted for up to 35% of all ad impressions annually.

However, as high as the fraud numbers are, they are declining. White Ops and ANA found that new bot detection technologies and a higher overall awareness of ad fraud tactics had resulted in digital ad fraud dropping from $6.5 billion in 2017 to $5.8 billion between 2018 and 2019.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Which InfoSec Jobs Will Best Survive a Recession?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ErickDune
50%
50%
ErickDune,
User Rank: Strategist
6/24/2020 | 3:43:47 AM
Educated
Oh my God! Every time these useless hackers try to make such kinds of programs or ads to hack the entire server of any firm or things like that. I am very aware of these things as I've experienced many bad things in the past. Anyways thanks for telling about edubirdie to the World that what these kinds of mistakes lead to, but I might think that this is the work of a hacker.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...