Jessica Goodfellow
Feb 2, 2021

DoubleVerify uncovers another record-breaking CTV fraud scheme

The operation is the eighth SSAI-based scam that DoubleVerify has identified in just two years, and it was triple the size of the last one.

DoubleVerify uncovers another record-breaking CTV fraud scheme

CTV (connected TV) continues to be a lucrative target for fraudsters. In January, DoubleVerify identified and blocked what it says is the biggest CTV fraud scheme to date—which operated a network of spoofed devices and IPs that was triple the size of the next biggest scheme the company has witnessed.

The operation, which DoubleVerify has called 'ParrotTerra', was facilitated through server-side ad insertion (SSAI) technology, in which ads are "stitched" into a piece of video content.

Fraudsters have found ways to dupe the SSAI server that is responsible for both putting out ad requests to fill the ad breaks and reporting on metrics to the buy-side, by spoofing CTV devices and generating fake traffic. In a typical SSAI fraud scheme, the fraudster spoofs legitimate devices and apps and use the spoofed details to send fraudulent ad requests into the ecosystem.

DoubleVerify identified its first large-scale SSAI ad fraud scheme, dubbed 'Colorius', in 2018. Since then, it said it has uncovered "at least" eight additional SSAI fraud schemes, each larger than the last. CTV is an attractive target for fraudsters due to its high CPMs, typically upwards of US$20, according to Emarketer estimates.

'ParrotTerra', like other SSAI schemes, worked by generating fake CTV inventory across countless apps, IPs and devices. It was spoofing 3.7 million device signatures and 2.7 million IP addresses each day before it was blocked. DoubleVerify said that ParrotTerra could have defrauded advertisers and publishers of "millions of dollars" if left undetected.

This is three times the size of the daily operation of 'LeoTerra', which previously held the title as the biggest CTV fraud scheme DoubleVerify had identified. 'LeoTerra' was first identified by DoubleVerify in July 2020 and later resurged in December 2020, when it was identified by Oracle Moat. Oracle said the scam spoofed more than 28.8 million US household IP addresses, including approximately 3,600 apps and 3,400 unique CTV device models. 'LeoTerra' has morphed multiple times to evade blocking—DoubleVerify identified a total of five variants over the past six months, including two in January.

Where 'LeoTerra' maintained a steady impression volume as it went through its mutations, the newer 'ParrotTerra' exhibited different behaviour. It began by testing its manipulation on a smaller scale before rapidly progressing into high volumes. DoubleVerify said the change in behaviour shows that SSAI fraud schemes are now looking to act quickly to siphon as much ad money as possible before being shut down.


Before 'LeoTerra', cybersecurity and ad verification firm White Ops uncovered what they reported at the time was the largest-ever connected-TV fraud operation in April last year. 'Icebucket' counterfeited more than 300 different publishers and spoofed at least 2 million IP addresses from over 30 countries. At its peak, it generated around 1.9 billion ad requests per day.

CTV fraud impressions more than tripled (220% increase) in 2020 versus 2019, according to DoubleVerify's data.

Related Articles

Just Published

2 hours ago

Firms pursue ESG policies to look good more than do ...

A desire to look good, rather than do good, is the primary reason businesses pursue sustainable and socially responsible policies, new research suggests.

2 hours ago

Moving campaign talks of Alzheimer's as an illness, ...

Campaign by NCA, for Alzheimer's Society, built on insight that 42% of people put off diagnosis because they believe symptoms are just a sign of ageing.

3 hours ago

Adland reacts after Google rolls out further ad ...

YouTube users can now limit ads relating to pregnancy, parenting, dating and weight loss, in addition to gambling and alcohol.

3 hours ago

S4 Capital axes bonuses and ex-CFO exits as fallout ...

The company’s share price slumped by a third at the end of March after it postponed its annual results twice because PwC, the auditor, could not complete its work.