Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/16/2020
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Bot-Enabled Ad Fraud Campaign Targeted Connected TVs

ICEBUCKET operation is the largest ever to attempt to steal from advertisers by using bots to impersonate human smart-TV viewers, White Ops says.

Researchers at White Ops have uncovered what they described this week as the largest-ever ad fraud operation to date associated with connected TVs (CTVs).

The so-called ICEBUCKET operation basically involved scammers using software bots to trick advertisers into thinking there were real people watching their ads on the other side of the smart TV screen. By using bots to impersonate human beings, the scammers fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.

Michael Moran, a member of the detection team at White Ops, says it's unclear how much money advertisers might have lost to the ICEBUCKET scam. But at its peak, the bot operation impersonated more than 2 million people from over 30 countries. Some 99% of the spoofed IPs used in the campaign are located in the US, White Ops said.

At one point nearly 28% of the CTV traffic that White Ops has visibility into in January — or some 1.9 billion ad requests per day — came from ICEBUCKET. The operation is still ongoing but at a substantially lower volume compared to January.

One reason why ICEBUCKET has been so successful is because it uses an ad insertion method called server side ad insertion (SSAI) to hide its bots, White Ops said.

"SSAI is a method to include video advertisements within a video content stream," Moran says. Unlike client-side ad insertion where ads are inserted by the actual device that is being used to watch a video, with SSAI a server within a data center inserts ads into the video stream and delivers it to the edge device.

Typically advertisers target audiences based on factors like location, time of day, estimated income, and their likelihood of buying their product. Advertisers consider CTVs to be premium inventory because of a higher likelihood of their ads actually being viewed, Moran says.

"SSAI is a more opaque part of the ad ecosystem, since the server is acting on behalf of the edge devices and many verification tags will run on the server instead of the edge device," Moran notes. With the ICEBUCKET operation, the attackers used some 1,700 intermediate SSAI servers under their control to send ads to fake and spoofed CTVs. The attackers also copied certain standards used to identify SSAI traffic to make it appear more legitimate, he says.

ICEBUCKET used virtual private servers within various data centers that appeared to be located on a small number of network segments in nine countries. "We postulate that they either purchased access to those servers or used lower security on those servers to insert their own code on the servers to run," Moran says.

In its report on the operation, White Ops theorized that the ICEBUCKET attackers used those particular networks either because they were cheap, the network operators had lax security standards, or large number of systems hosted on those segments were vulnerable to attack.

According to the vendor, the operators of the ICEBUCKET scam also appeared to be making some extra revenue by delivering ad-fraud-as-a-service to many application publishers. "We've observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic," White Ops said in its report.

Opaque Supply Chain
It's hard to say who exactly is making money from such fraud, Moran notes. Within an ad request are parameters that specify which companies are involved in the actual transaction. This can include the ad exchange, the publisher ID, and the app ID itself. The parameters can help identify which companies are making money off fraudulent ad requests, he says.

"[But] this supply chain is somewhat opaque, which is why we are advocating for stronger adoption of standards such that will provide clarity and transparency into who is making money across the ecosystem," he notes.

Digital ad fraud continues to cost advertisers billions of dollars annually. A large portion of the fraud is being enabled through the use of bots and botnets to impersonate human actions, such as clicking on an ad to boost page views. A study last year by White Ops and the Association of National Advertisers (ANA) found that fraud attempts accounted for up to 35% of all ad impressions annually.

However, as high as the fraud numbers are, they are declining. White Ops and ANA found that new bot detection technologies and a higher overall awareness of ad fraud tactics had resulted in digital ad fraud dropping from $6.5 billion in 2017 to $5.8 billion between 2018 and 2019.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Which InfoSec Jobs Will Best Survive a Recession?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ErickDune
50%
50%
ErickDune,
User Rank: Strategist
6/24/2020 | 3:43:47 AM
Educated
Oh my God! Every time these useless hackers try to make such kinds of programs or ads to hack the entire server of any firm or things like that. I am very aware of these things as I've experienced many bad things in the past. Anyways thanks for telling about edubirdie to the World that what these kinds of mistakes lead to, but I might think that this is the work of a hacker.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.