Connect with us

Hi, what are you looking for?



Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.

A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.

Referred to as Icebucket, the operation was highly successful until discovered, at its peak impersonating roughly 2 million users in more than 30 countries. It also counterfeited more than 300 different publishers, the researchers say.

The bots involved in the attacks were hidden “within the limited signal and transparency of server side ad insertion (SSAI) backed video ad impressions,” White Ops says.

Icebucket, the company says, is the largest case of SSAI spoofing observed to date, in January accounting for 28% of the programmatic CTV traffic that White Ops has visibility into. This translates into around 1.9 billion ad requests per day.

White Ops discovered that “66% of programmatic CTV-related SSAI traffic and 15% of programmatic mobile-related SSAI traffic” was part of this operation in January 2020.

The threat actors behind the attacks were able to generate traffic for fictional edge devices using over 1,000 different user-agents, more than 300 different appIDs from various publishers, at least 2 million spoofed IP addresses (99% located in the United States), and roughly 1,700 SSAI server IPs located in 9 countries generating the traffic.

The operation sent requests for ads to be inserted into video content for CTV and mobile devices, although the devices and viewers did not exist. The employed user-agents are for obsolete device types no longer used, or devices that never existed in the first place.

The ad requests originated from a small set of Autonomous System Numbers (ASNs), likely because the adversaries were convinced they would not be caught. However, the researchers also observed non- Icebucket traffic coming from these ASNs as well.

Advertisement. Scroll to continue reading.

“The ICEBUCKET operation is unique in that a subset of the traffic is being generated to benefit app publishers directly through direct deals. We’ve observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic,” the researchers explain.

The behavior was likely meant to create noise and hide the operation, as well as to increase the value of the traffic, thus increasing revenue for the attackers.

Icebucket remains an ongoing operation, as the volume of traffic associated with it hasn’t been reduced to zero yet, White Ops reveals.

Related: Malicious Optimizers Hosted on Google Play Amassed 470,000 Downloads

Related: Malware Framework Gathers 1 Billion Ad Impressions in 3 Months

Related: Google Blocks New Ad Fraud Scheme

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.