Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/16/2020
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Bot-Enabled Ad Fraud Campaign Targeted Connected TVs

ICEBUCKET operation is the largest ever to attempt to steal from advertisers by using bots to impersonate human smart-TV viewers, White Ops says.

Researchers at White Ops have uncovered what they described this week as the largest-ever ad fraud operation to date associated with connected TVs (CTVs).

The so-called ICEBUCKET operation basically involved scammers using software bots to trick advertisers into thinking there were real people watching their ads on the other side of the smart TV screen. By using bots to impersonate human beings, the scammers fraudulently got advertisers to pay for ad impressions that were never actually viewed by a real person.

Michael Moran, a member of the detection team at White Ops, says it's unclear how much money advertisers might have lost to the ICEBUCKET scam. But at its peak, the bot operation impersonated more than 2 million people from over 30 countries. Some 99% of the spoofed IPs used in the campaign are located in the US, White Ops said.

At one point nearly 28% of the CTV traffic that White Ops has visibility into in January — or some 1.9 billion ad requests per day — came from ICEBUCKET. The operation is still ongoing but at a substantially lower volume compared to January.

One reason why ICEBUCKET has been so successful is because it uses an ad insertion method called server side ad insertion (SSAI) to hide its bots, White Ops said.

"SSAI is a method to include video advertisements within a video content stream," Moran says. Unlike client-side ad insertion where ads are inserted by the actual device that is being used to watch a video, with SSAI a server within a data center inserts ads into the video stream and delivers it to the edge device.

Typically advertisers target audiences based on factors like location, time of day, estimated income, and their likelihood of buying their product. Advertisers consider CTVs to be premium inventory because of a higher likelihood of their ads actually being viewed, Moran says.

"SSAI is a more opaque part of the ad ecosystem, since the server is acting on behalf of the edge devices and many verification tags will run on the server instead of the edge device," Moran notes. With the ICEBUCKET operation, the attackers used some 1,700 intermediate SSAI servers under their control to send ads to fake and spoofed CTVs. The attackers also copied certain standards used to identify SSAI traffic to make it appear more legitimate, he says.

ICEBUCKET used virtual private servers within various data centers that appeared to be located on a small number of network segments in nine countries. "We postulate that they either purchased access to those servers or used lower security on those servers to insert their own code on the servers to run," Moran says.

In its report on the operation, White Ops theorized that the ICEBUCKET attackers used those particular networks either because they were cheap, the network operators had lax security standards, or large number of systems hosted on those segments were vulnerable to attack.

According to the vendor, the operators of the ICEBUCKET scam also appeared to be making some extra revenue by delivering ad-fraud-as-a-service to many application publishers. "We've observed cases where such publishers are mixing up organic and ICEBUCKET traffic in what seems to be early signs of traffic sourcing schemes for CTV traffic," White Ops said in its report.

Opaque Supply Chain
It's hard to say who exactly is making money from such fraud, Moran notes. Within an ad request are parameters that specify which companies are involved in the actual transaction. This can include the ad exchange, the publisher ID, and the app ID itself. The parameters can help identify which companies are making money off fraudulent ad requests, he says.

"[But] this supply chain is somewhat opaque, which is why we are advocating for stronger adoption of standards such that will provide clarity and transparency into who is making money across the ecosystem," he notes.

Digital ad fraud continues to cost advertisers billions of dollars annually. A large portion of the fraud is being enabled through the use of bots and botnets to impersonate human actions, such as clicking on an ad to boost page views. A study last year by White Ops and the Association of National Advertisers (ANA) found that fraud attempts accounted for up to 35% of all ad impressions annually.

However, as high as the fraud numbers are, they are declining. White Ops and ANA found that new bot detection technologies and a higher overall awareness of ad fraud tactics had resulted in digital ad fraud dropping from $6.5 billion in 2017 to $5.8 billion between 2018 and 2019.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Which InfoSec Jobs Will Best Survive a Recession?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ErickDune
50%
50%
ErickDune,
User Rank: Strategist
6/24/2020 | 3:43:47 AM
Educated
Oh my God! Every time these useless hackers try to make such kinds of programs or ads to hack the entire server of any firm or things like that. I am very aware of these things as I've experienced many bad things in the past. Anyways thanks for telling about edubirdie to the World that what these kinds of mistakes lead to, but I might think that this is the work of a hacker.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.