Streaming TV Fraudsters Steal Millions of Ad Dollars in ‘ICEBUCKET’ Attack

icebucket streaming tv fraud ctv

Crooks manipulated connected TV supply-side ad platforms to create millions of fictional eyeballs.

A massive television ad fraud campaign that abuses the programmatic advertising ecosystem for connected TV (CTV) has successfully impersonated more than 2 million people in over 30 countries so far during its run, defrauding more than 300 different brands out of their ad dollars.

The recently uncovered CTV operation — named ICEBUCKET by the researchers at White Ops that discovered it – was bent on tricking advertisers into thinking there were real people watching TV on the other side of the screen, when in reality, they were bots pretending to be real people watching TV. In other words, the sellers of the ad inventory were bot-herders; and, they received money in exchange for running the ads – but the ads didn’t actually reach any human eyeballs.

A Word on Programmatic TV Advertising

CTV is generally defined as the ability to watch internet-streamed services on the big screen via smart TVs, set-top devices such as Roku, TiVo and others, or via app integrations found within cable provider services. CTV has especially caught fire in the last few years, especially with premiere streaming services offering top-tier original content. While a large portion of CTV advertising remains static and akin to traditional TV ads (i.e., inserted ahead of time with little user-specific targeting), programmatic advertising is starting to come into its own.

Programmatic advertising involves brands serving up dynamic, highly targeted ads within these video streaming services in an automated way, to specific slivers of demographic profiles – which is just like how advertising works on the internet as a whole. Advertisers can spend between $10 and $20 per 1,000 video ad impressions (this is known as the cost per million, or CPM) for programmatic ads, which makes them more expensive than other ad types.

In the television universe, programmatic marketing is carried out via complex, industry-specific programmatic ad systems. More specifically, a middle-man system known as a supply-side ad-insertion (SSAI) platform makes the connection between the brands that want to serve the ads and the companies that have the ad inventory that will be shown to subscribers. Those with inventory offer their wares within the SSAI environment, and the platform will then match up specific viewer attributes – in some cases down to very specific rich profile information – with targeted ad content.

SSAIs then “stitch” the appropriate ads into the fabric of video content on-the-fly, so that there aren’t the delays or hiccups typically caused by launching an ad player. Delivering video ad content through SSAI thus offers advertisers many benefits, including user personalization and latency reduction.

However, because there’s an automated platform in the middle, buyers and sellers typically don’t have a direct relationship, and the supply chain is less transparent than it could be – thus offering cybercrooks an opportunity, according to the researchers at White Ops.

“While SSAI is an elegant solution to ad serving, it’s still in its infancy. As with all new technologies, White Ops can see fraudsters finding the holes in the system and wiggling their way through,” according to an analysis published Thursday. “[In this case], fraudsters have found a way to spoof edge devices to replicate SSAI services….rather than show the ads to humans, the fraudsters call the reporting APIs indicating the ad has been ‘shown.'”

The Ongoing ICEBUCKET Campaign

ICEBUCKET is an ongoing operation, and while some of the fraud has been rooted out, more keeps cropping up. It’s a bit of a game of whack-a-mole, because the scope of the operation is significant, according to White Ops.

icebucket ad fraud

Timeline of the ICEBUCKET campaign. Click to enlarge.

At its peak in January, a full 28 percent of the programmatic CTV traffic that White Ops had visibility into, or around 1.9 billion ad requests per day, was fraudulent ICEBUCKET traffic.

“The operation … hid its sophisticated bots within the limited signal and transparency of server-side ad insertion (SSAI)-backed video ad impressions,” explained White Ops researchers, in an analysis published on Thursday. “The ICEBUCKET operation is the largest case of SSAI spoofing that has been uncovered to date.”

At its peak, ICEBUCKET used about 1,700 IPs for fake SSAI servers, located in nine countries; and more than 300 different legitimate app IDs from various publishers (these are assigned to specific viewer endpoints to be used for tracking). It also used more than 1,000 different user agents (i.e., the identifiers for different web browser or application types); around 500 of these were fake, created just for ICEBUCKET’s use.

“The user-agents used in the operation largely refer to obsolete device types that are no longer used in the general population, or devices that never existed in the first place,” explained White Ops.

To create the fictional viewers/eyeballs, ICEBUCKET also used at least 2 million spoofed IP addresses from 30+ countries (99 percent of which were located in the United States); White Ops said that the IP addresses showed signs of being algorithmically generated to mimic desirable audiences.

Further, the fraudsters masqueraded as a range of streaming devices, including pretending to be people using Roku devices (46 percent); Samsung Tizen Smart TVs (27 percent); GoogleTV, which was discontinued in 2014 (21 percent); and Android mobile devices (6 percent).

Rooting Out Fraud

One of the problems in uncovering fraud like this is a lack of visibility, according to White Ops, which explained that often, the information on inventory sources available to advertisers in an SSAI environment is limited to the device user-agent and IP address.

“While falsifying this data is relatively simple, the nuance of doing so convincingly makes this a form of a sophisticated bot attack,” the researchers explained. “The ICEBUCKET operation presented its traffic as coming from a legitimate SSAI provider (based on the inclusion of standard HTTP headers) for a variety of devices and apps, using custom code. ICEBUCKET assembled requests for ads to be inserted into video content for viewers using CTV and mobile devices, but none of those devices or viewers actually exist.”

Brands can protect themselves by working with advertising supply chains where there are direct relationships, so that they can consult frequently with ad tech partners, the firm noted. This will be especially important as more and more ad-supported streaming TV services are adopted by consumers.

“ICEBUCKET is an ongoing operation. The volumes have not gone down to zero,” White Ops researchers concluded. “Since CTV and SSAI spoofing are currently lucrative options for our adversaries due to the high [ad rates] on CTV consumers, we expect to see similar operations start, or that existing operations may shift from web and mobile toward CTV traffic.”

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.



Suggested articles