Scammers who have infiltrated the advertising ecosystem are using data centers to impersonate a range of connected devices in order to defraud marketers, according to new findings.
New York-based security firm White Ops on Thursday disclosed a vast, ongoing scheme in which fraudsters are charging advertising companies for ad space on smart TVs, and then not delivering on their promise. To boost their credibility, the scammers are disguising bot activity which originates in global data centers as legitimate traffic in order to dupe anti-fraud services.
The campaign, which White Ops has named Ice Bucket, is an updated version of the notorious Methbot/3ve scheme, in which scammers sold commercial advertising space in videos and websites that were never viewed by real humans. Methbot scammers earned roughly $29 million between 2014 and 2018, according to the Department of Justice, and also used data center traffic to seem legitimate. While White Ops declined to speculate on how much money the scammers may have earned, citing an ongoing investigation, the effort at one point accounted for an estimated 1.9 billion ad requests the company monitored in January.
Some 28% of traffic that appeared to be from connected TVs that month was fraudulent, the company said.
“They’re selling ad space and then not utilizing it in the way they promise, and that’s exactly what Methbot was doing,” said Dimitris Theodorakis, director of detection with the threat intelligence team at White Ops.
“We always say that if you want to run a successful fraud operation, you need to look like a million people. You need to scale your operation to look like you’re coming from a million different places.”
The Ice Bucket operation, which remains active, at one point posed as more than 2 million people in more than 30 countries, researchers said. By impersonating real people who seemed to be watching their smart TVs, scammers made advertisers believe their server-side ad insertion (SSAI) video ad impressions would be viewed by possible consumers. In fact, the fraudsters proved capable of spoofing Roku devices, Samsung Tizen Smart TVs, Google TVs and Android mobile devices.
The first signs of the operation appeared late last year, according to Michael Moran, White Ops’ data scientist. While it remains unclear who is behind the Ice Bucket activity, the campaign relies on enough specific tactics and techniques to lead researchers to believe it is a “cohesive” unit of scammers. The company declined to reveal the evidence that a single group was behind this, citing concerns about tipping off the attackers.
White Ops’ initial report on the Methbot scheme published in 2016 provided the springboard for a years-long FBI investigation that resulted in indictments against at least nine alleged conspirators. Three suspects have pleaded guilty to hacking-related charges as part of the effort, which used cybercrime tactics to avoid detection, while a fourth is preparing for trial, and others remain on the lam.