Security Experts:

Connect with us

Hi, what are you looking for?



Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.

A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.

Referred to as Icebucket, the operation was highly successful until discovered, at its peak impersonating roughly 2 million users in more than 30 countries. It also counterfeited more than 300 different publishers, the researchers say.

The bots involved in the attacks were hidden “within the limited signal and transparency of server side ad insertion (SSAI) backed video ad impressions,” White Ops says.

Icebucket, the company says, is the largest case of SSAI spoofing observed to date, in January accounting for 28% of the programmatic CTV traffic that White Ops has visibility into. This translates into around 1.9 billion ad requests per day.

White Ops discovered that “66% of programmatic CTV-related SSAI traffic and 15% of programmatic mobile-related SSAI traffic” was part of this operation in January 2020.

The threat actors behind the attacks were able to generate traffic for fictional edge devices using over 1,000 different user-agents, more than 300 different appIDs from various publishers, at least 2 million spoofed IP addresses (99% located in the United States), and roughly 1,700 SSAI server IPs located in 9 countries generating the traffic.

The operation sent requests for ads to be inserted into video content for CTV and mobile devices, although the devices and viewers did not exist. The employed user-agents are for obsolete device types no longer used, or devices that never existed in the first place.

The ad requests originated from a small set of Autonomous System Numbers (ASNs), likely because the adversaries were convinced they would not be caught. However, the researchers also observed non- Icebucket traffic coming from these ASNs as well.

“The ICEBUCKET operation is unique in that a subset of the traffic is being generated to benefit app publishers directly through direct deals. We’ve observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic,” the researchers explain.

The behavior was likely meant to create noise and hide the operation, as well as to increase the value of the traffic, thus increasing revenue for the attackers.

Icebucket remains an ongoing operation, as the volume of traffic associated with it hasn’t been reduced to zero yet, White Ops reveals.

Related: Malicious Optimizers Hosted on Google Play Amassed 470,000 Downloads

Related: Malware Framework Gathers 1 Billion Ad Impressions in 3 Months

Related: Google Blocks New Ad Fraud Scheme

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.