White Ops Specialists discovered large-scale fraudulent operation: for several months, a hacker group simulated the activity of smart TVs in order to deceive advertisers and make profit from advertising.
Researchers called this operation and the ICEBUCKET grouping behind it. In their opinion, this is the most widespread case of SSAI (Server-Side Ad Insertion) substitution today.
Internet advertisers use SSAI servers as intermediaries between their advertising platforms and end users. In essence, SSAI servers send ads to applications that run on people's devices. Such devices can be computers, smartphones, tablets, smart TVs, streaming devices, and so on. SSAI servers are a very popular solution, as they do not slow down the application code and allow advertisers in real time to control the ads displayed on user devices.
However, the ICEBUCKET group found flaws in the communication mechanism of SSAI servers. As a result, over the past months, fraudsters have used the vulnerability to connect to SSAI servers and requested ads for display on non-existent devices.
Due to the fact that the cost per thousand impressions of ads on smart TVs and other television connected devices is higher than in other cases, the group focused on simulating these types of devices. So, ICEBUCKET primarily imitates CTV (Connected TV) devices, such as Roku streaming devices, Samsung Tizen smart TVs, the now defunct GoogleTV and Android streaming devices.
In total, scammers faked more than 1000 different types of devices (user-agents), using for this over 2,000,000 IP addresses located in more than 30 countries around the world. According to the researchers, most of this traffic came from fake smart TVs located in the United States.
At the peak of its activity in January 2020, the ICEBUCKET group generated about 1.9 billion advertising requests to SSAI servers daily. The operation was so large-scale that in January of this year almost 2/3 of the CTV SSAI's advertising traffic came from non-existent devices created by scammers.
Experts write that ICEBUCKET used more than 300 application identifiers to request advertising traffic on behalf of non-existent devices. Such IDs are applications and financial mechanisms by which the group received advertising revenue. Unfortunately, White Ops experts still continue their investigation and cannot yet determine whether the group operated all 300 application IDs on their own, or whether hackers used only a small part of them, and the rest of the fake advertising traffic was sent to other applications to cover their tracks.
There is also the possibility that ICEBUCKET works according to the Fraud-as-a-Service (Fraud-as-a-Service) scheme, that is, it allows application developers to order fake advertisements for their applications and makes money on it.
“At the moment, we cannot reach a final conclusion regarding these two possibilities. There is a possibility that both of these options are used (by hackers) depending on the specific variation of the traffic in question, ”White Ops analysts write.
Experts warn that in the future the number of campaigns like ICEBUCKET will increase. The fact is that the SSAI mechanism is widely used in the industry, and given the high CPM rates paid for displaying ads to smart TV users, most likely, the group will soon have imitators.