Inside Icebucket: the 'largest' CTV ad fraud scheme to date

Cybersecurity and ad verification firm White Ops has uncovered what they report to be the largest-ever connected TV fraud operation in history, affecting more than 300 publishers and millions of dollars in ad spend.

White Ops' threat intelligence team has been tracking the ad fraud operation, named Icebucket, since January. The operation has counterfeited more than 300 different publishers to date and spoofed at least 2 million IP addresses from over 30 countries—99% of which claims to be US-based.

It is a lucrative operation that has involved the sophisticated spoofing of many layers of the supply chain—but could also involve some shady practices from legitimate publishers.

Impact so far

Icebucket has been taking advantage of CTV's high CPMs but relative lack of transparency. Programmatic CTV does not have an authorised reseller tool like Sellers.json, and buyers and sellers typically don't have a direct relationship. This has provided an entry point for fraudsters to counterfeit CTV players, create a fake audience, and trick advertisers into handing over cash.

The operation hid its sophisticated bots within server-side ad insertion (SSAI)-backed video ad impressions. In SSAI, ads are “stitched” into the fabric of video content so that there aren’t delays or hiccups caused by launching an ad player. In January 2020, 66% of programmatic CTV-related SSAI traffic and 15% of programmatic mobile-related SSAI traffic that White Ops protects was a part of this scheme. It is the largest case of SSAI spoofing that has been uncovered to date, White Ops claims. 

Near its peak, Icebucket data accounted for nearly 28% of the total programmatic CTV traffic White Ops has visibility into (which is more than 80% of the programmatic supply chain). This is equivalent to around 1.9 billion ad requests per day for the month of January. 

White Ops—which is also responsible for uncovering two of the largest online ad fraud operations in history: Methbot in 2016, and 3ve in 2018—has not given a cost estimate to the scheme. But if the average CPM for an in-stream CTV ad ranges from $19.84 to $28.33 (according to Emarketer estimates for 2018), and the fraud scheme was calling up 1.9 billion ad requests per day near its peak—that's a very lucrative day rate.

Figure 1: percentage of programmatic CTV traffic implicated in this operation for January 2020.

How it works

In order to pull off this scheme, the fraudsters have had to take control of many elements of the supply chain, starting with the 'viewers' (the 2 million spoofed IP addresses), the user agents (IE the devices, of which it spoofed 1,000), the SSAI servers (around 1,700 located in nine countries) and the publishers (300 appIDs).

The operation spoofed various CTV devices for the operation, with nearly half (46%) of the traffic spoofing a Roku device. Roku confirmed to White Ops that the traffic claiming to come from Roku was entirely spoofed, after seeing no Icebucket activity on its platform.

Table 1: Proportion of ICEBUCKET traffic in January 2020 for various declared devices

For this operation, none of the devices or viewers actually exist—they are all faked. The user-agents used in the operation largely refer to obsolete device types that are no longer used in the general population, or devices that never existed in the first place. The IP addresses showed signs of being algorithmically generated to mimic desirable audiences.

After successfully spoofing the devices, the fraudsters can then send out ad requests from data centres to SSAI providers, and then call the reporting APIs indicating the ad has been “shown”.

Since often the information available to advertisers in an SSAI environment is limited to the device user-agent and IP address (both of which the fraudsters have spoofed), falsifying this data is relatively simple. This points to flaws in SSAI, an "elegant" solution to ad serving, but "still in its infancy" and therefore open to exploitation, White Ops said.

Figure 2: Schematic of how SSAI spoofing relates to the ad tech ecosystem.

There's another—potentially even more worrying—element to the Icebucket operation. A subset of the traffic being generated by Icebucket is being diverted to actually benefit app publishers directly through direct deals.

This could be an early sign of CTV traffic-sourcing schemes, whereby the operation is generating traffic on behalf of the app publishers, which makes it both harder to detect, since it is mixed with legitimate traffic, and provides an extra revenue source for the scheme. Or, it could be a clever diversion technique by the fraudsters to divert attention, by creating a subset of traffic that is not benefiting the operation directly.

"At this point, we cannot make a conclusive determination between these two possibilities. There is the possibility that both of these options could be at play, depending on the particular subset of the traffic in question," White Ops researchers said.

Ongoing threat

White Ops has been actively blocking Icebucket fraudulent traffic since it peaked in January, but as noted in the graph below, the scheme is an ongoing operation, with volumes not yet down to zero. It is sharing its findings so other fraud networks can block the traffic too.

Figure 3: post-bid impressions associated with ICEBUCKET for 2020.

Furthermore, due to the lucrative nature of CTV ad impressions and the lack of security in SSAI ad insertion, the company expects this will be the first of many schemes. More standards in CTV, such as app-ads.txt and sellers.json, plus greater direct relationships and transparency in the supply chain, will help mitigate this fraud, White Ops has advised.