Cloud Hosting

Researchers have uncovered the biggest connected-TV (CTV) ad fraud operation theyve ever seen, fueled with fake ad views seen by bogus eyeballs that actually belonged to a bot network they named ICEBUCKET.

Bot-mitigation security firm White Ops said on Thursday that at its peak January 2020 the ICEBUCKET bot operation impersonated more than 2 million people in over 30 countries.

ICEBUCKET also cooked up 300 publishers out of thin air, then stole advertising dollars by tricking advertisers into thinking there were real people on the other side of the screen. Those were no humans: they were all bots, working to exploit the limited transparency of whats known as the server-side ad insertion (SSAI) platform for measuring video ad impressions.

With SSAI, ads are stitched into the fabric of video content so there are no delays or hiccups caused by launching an ad player. Its commonly used for advertising on several edge devices, such as CTVs, smart phones, gaming consoles and set-top boxes like Roku.

Besides the reduction in latency, advertisers benefit from the ability to target-market. Like plenty of Internet of Things (IoT) gadgets, TV streamed through the internet brings the ability to discern quite a lot about whos viewing it, enabling advertisers to target exactly the type of viewer they think is likely to buy whatever it is theyre selling.

But as White Ops tells it, SSAI is still in its infancy. The firm can see the fraudsters as they discover holes in the system and worm their way through. In the case of ICEBUCKET, theyve done it by spoofing edge devices to make them look like SSAI services.

Theyre sending out ad requests from data centers for those spoofed edge devices. Requests coming from data centers arent remarkable: thats how real SSAI providers do it. But rather than show ads to live humans, the fraudsters are simply calling the reporting APIs to indicate that the ad has been shown.

Theres not a lot of information available to advertisers in an SSAI environment. Its often limited to the device user-agent and IP address. Falsifying information in the HTTP headers is relatively simple, White Ops says. But what makes ICEBUCKET a sophisticated bot attack is the nuance of how its faking those headers.

The end result: advertisers are paying good money for humans to view their ads and, mind you, those are pricey ads to buy, given that targeted marketing going to very specific demographics of humans fetches premium ad dollars but theyre actually playing to home theaters devoid of actual audiences, White Ops says:

The ads that are served either never see the light of day or are never viewed by a human. An audience of sophisticated bots is really just an empty audience.

Using custom code and including standard HTTP headers, ICEBUCKET presented its traffic as coming from a legitimate SSAI provider for a variety of devices and apps. ICEBUCKET assembled requests for ads to be inserted into video content for viewers using CTV and mobile devices, but none of those devices or viewersactually exist. The operation largely used obsolete devices to pose as user-agents: ones that arent used much anymore or that never even existed in the first place.

White Ops says that the IP addresses look to have been algorithmically generated to mimic desirable audiences in other words, the audiences that advertisers pay top dollar to target ads at.

White Ops says that ICEBUCKET is the biggest SSAI spoofing operation thats ever been discovered. Near its peak in January, it accounted for nearly 28% of all programmatic CTV traffic that the firm could see. That translates to around 1.9 billion ad requests per day for the month of January, just from this one botnet.

Most of the programmatic traffic the firm saw going through the SSAI platform 66% was coming from the scheme, while 15% of the mobile ad programming came from ICEBUCKET. Besides mobile devices, the botnet was also working through set-top devices including Roku.

At 46%, Roku was the top device spoofed by ICEBUCKET. Others included Samsung Tizen Smart TV, Google TV (which Google discontinued in 2014) and Android. Roku, for one, confirmed that the impressions were spoofed. After White Ops informed the company about the scheme, Roku checked its internal systems and found that it wasnt showing any ICEBUCKET activity at all on its platform.

What makes ICEBUCKET unique and difficult to stop is that some of its traffic is being generated to benefit app publishers. In some cases, White Ops has seen publishers mix organic and ICEBUCKET traffic. Why? The firm has two hunches: it could be a way to hide the operation by creating obfuscating noise that makes it tough to identify the bogus traffic, with a subset of traffic not benefitting the operation directly, or it could point to fraud-as-a-service.

If it is fraud-as-a-service, the botnet operators are getting paid to generate traffic on behalf of the app publishers. The mix of fraudulent plus legit activity not only makes it harder to detect; it also generates more money for the scheme.

It could be that both of those options are in play, depending on what subset of the traffic youre looking at. But while White Ops cant conclusively determine what the point is of the mixed traffic, it knows one thing for sure: this operation is still going strong.

ICEBUCKET is anongoing operation. The volumes shown in [our illustrations] have not gone down to zero. The fraudsters are still out there, but we are able to execute our bot mitigation and bot prevention techniques to detect them and protect against their attacks; were disclosing this discovery now so others can do the same.

Original post:
Bot creates millions of fake eyeballs to rip off smart-TV advertisers - Naked Security