A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.
Referred to as Icebucket, the operation was highly successful until discovered, at its peak impersonating roughly 2 million users in more than 30 countries. It also counterfeited more than 300 different publishers, the researchers say.
The bots involved in the attacks were hidden “within the limited signal and transparency of server side ad insertion (SSAI) backed video ad impressions,” White Ops says.
Icebucket, the company says, is the largest case of SSAI spoofing observed to date, in January accounting for 28% of the programmatic CTV traffic that White Ops has visibility into. This translates into around 1.9 billion ad requests per day.
White Ops discovered that “66% of programmatic CTV-related SSAI traffic and 15% of programmatic mobile-related SSAI traffic” was part of this operation in January 2020.
The threat actors behind the attacks were able to generate traffic for fictional edge devices using over 1,000 different user-agents, more than 300 different appIDs from various publishers, at least 2 million spoofed IP addresses (99% located in the United States), and roughly 1,700 SSAI server IPs located in 9 countries generating the traffic.
The operation sent requests for ads to be inserted into video content for CTV and mobile devices, although the devices and viewers did not exist. The employed user-agents are for obsolete device types no longer used, or devices that never existed in the first place.
The ad requests originated from a small set of Autonomous System Numbers (ASNs), likely because the adversaries were convinced they would not be caught. However, the researchers also observed non- Icebucket traffic coming from these ASNs as well.
“The ICEBUCKET operation is unique in that a subset of the traffic is being generated to benefit app publishers directly through direct deals. We’ve observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic,” the researchers explain.
The behavior was likely meant to create noise and hide the operation, as well as to increase the value of the traffic, thus increasing revenue for the attackers.
Icebucket remains an ongoing operation, as the volume of traffic associated with it hasn’t been reduced to zero yet, White Ops reveals.
Related: Malicious Optimizers Hosted on Google Play Amassed 470,000 Downloads
Related: Malware Framework Gathers 1 Billion Ad Impressions in 3 Months
Related: Google Blocks New Ad Fraud Scheme