Jessica Goodfellow
Feb 2, 2021

DoubleVerify uncovers another record-breaking CTV fraud scheme

The operation is the eighth SSAI-based scam that DoubleVerify has identified in just two years, and it was triple the size of the last one.

DoubleVerify uncovers another record-breaking CTV fraud scheme

CTV (connected TV) continues to be a lucrative target for fraudsters. In January, DoubleVerify identified and blocked what it says is the biggest CTV fraud scheme to date—which operated a network of spoofed devices and IPs that was triple the size of the next biggest scheme the company has witnessed.

The operation, which DoubleVerify has called 'ParrotTerra', was facilitated through server-side ad insertion (SSAI) technology, in which ads are "stitched" into a piece of video content.

Fraudsters have found ways to dupe the SSAI server that is responsible for both putting out ad requests to fill the ad breaks and reporting on metrics to the buy-side, by spoofing CTV devices and generating fake traffic. In a typical SSAI fraud scheme, the fraudster spoofs legitimate devices and apps and use the spoofed details to send fraudulent ad requests into the ecosystem.

DoubleVerify identified its first large-scale SSAI ad fraud scheme, dubbed 'Colorius', in 2018. Since then, it said it has uncovered "at least" eight additional SSAI fraud schemes, each larger than the last. CTV is an attractive target for fraudsters due to its high CPMs, typically upwards of US$20, according to Emarketer estimates.

'ParrotTerra', like other SSAI schemes, worked by generating fake CTV inventory across countless apps, IPs and devices. It was spoofing 3.7 million device signatures and 2.7 million IP addresses each day before it was blocked. DoubleVerify said that ParrotTerra could have defrauded advertisers and publishers of "millions of dollars" if left undetected.

This is three times the size of the daily operation of 'LeoTerra', which previously held the title as the biggest CTV fraud scheme DoubleVerify had identified. 'LeoTerra' was first identified by DoubleVerify in July 2020 and later resurged in December 2020, when it was identified by Oracle Moat. Oracle said the scam spoofed more than 28.8 million US household IP addresses, including approximately 3,600 apps and 3,400 unique CTV device models. 'LeoTerra' has morphed multiple times to evade blocking—DoubleVerify identified a total of five variants over the past six months, including two in January.

Where 'LeoTerra' maintained a steady impression volume as it went through its mutations, the newer 'ParrotTerra' exhibited different behaviour. It began by testing its manipulation on a smaller scale before rapidly progressing into high volumes. DoubleVerify said the change in behaviour shows that SSAI fraud schemes are now looking to act quickly to siphon as much ad money as possible before being shut down.


Before 'LeoTerra', cybersecurity and ad verification firm White Ops uncovered what they reported at the time was the largest-ever connected-TV fraud operation in April last year. 'Icebucket' counterfeited more than 300 different publishers and spoofed at least 2 million IP addresses from over 30 countries. At its peak, it generated around 1.9 billion ad requests per day.

CTV fraud impressions more than tripled (220% increase) in 2020 versus 2019, according to DoubleVerify's data.

Related Articles

Just Published

17 hours ago

Kasikornbank challenges workplace tropes in ...

A boss who only wants their way? Suck-up behaviour in the office? A lack of investment in workplace facilities? Not at our bank, Kasikornbank promises.

18 hours ago

40 Under 40 2022 to be revealed on Dec 7

Following multiple rounds of judging, Campaign will reveal the final list tomorrow.

18 hours ago

Spikes Asia announces full 2023 juries

See the 110 APAC industry experts selected to serve on Spikes' 15 juries. The region's top industry awards programme is currently open for entries.

18 hours ago

Fashionably ate: Why luxury fashion brands are ...

Gucci burgers and Ralph Lauren coffees are making their way across the region. But is the merging of luxury and food one brand extension gone too far?