ICEBUCKET Group Faked Smart TVs to Profit from Ad Fraud

By Riley ThompsonTechnology News

ICEBUCKET Group Faked Smart TVs to Profit from Ad Fraud

Security experts at White Ops have uncovered a large-scale fraud operation in which a hacker group simulated the activity of smart TVs to deceive advertisers and profit from ad revenue. The researchers named this operation, and the group behind it, ICEBUCKET. According to them, this is the largest known case of SSAI (Server-Side Ad Insertion) spoofing to date.

How SSAI Works and Why It’s Targeted

Online advertisers use SSAI servers as intermediaries between their ad platforms and end users. Essentially, SSAI servers deliver ads to apps running on people’s devices, which can include computers, smartphones, tablets, smart TVs, streaming devices, and more. SSAI servers are popular because they don’t slow down app code and allow advertisers to control which ads are shown on user devices in real time.

The Attack Scheme

The ICEBUCKET group discovered vulnerabilities in the way SSAI servers communicate. Over the past several months, the fraudsters exploited these weaknesses to connect to SSAI servers and request ads for non-existent devices.

Because the cost per thousand ad impressions (CPM) is higher for smart TVs and other connected TV (CTV) devices, the group focused on imitating these types of devices. ICEBUCKET primarily faked CTV devices such as Roku streaming devices, Samsung Tizen smart TVs, the now-defunct GoogleTV, and Android-based streaming devices.

In total, the fraudsters spoofed more than 1,000 different device types (user-agents), using over 2,000,000 IP addresses located in more than 30 countries. According to researchers, most of this fake traffic appeared to come from smart TVs located in the United States.

Scale of the Operation

At its peak in January 2020, the ICEBUCKET group generated about 1.9 billion ad requests per day to SSAI servers. The operation was so massive that in January, nearly two-thirds of CTV SSAI ad traffic came from fake devices created by the fraudsters.

Experts report that ICEBUCKET used more than 300 app identifiers to request ad traffic on behalf of non-existent devices. These IDs represent apps and financial mechanisms through which the group earned ad revenue. Unfortunately, White Ops specialists are still investigating and cannot yet determine whether the group operated all 300 app IDs themselves or only a small portion, with the rest of the fake ad traffic being routed to other apps to cover their tracks.

There is also a possibility that ICEBUCKET operates as a Fraud-as-a-Service scheme, allowing app developers to order fake ad impressions for their apps and profiting from this service.

“At this time, we cannot reach a definitive conclusion regarding these two possibilities. It is possible that both methods are used by the hackers, depending on the specific type of traffic in question,” the White Ops analysts wrote.

Future Risks

Experts warn that the number of campaigns similar to ICEBUCKET is likely to grow in the future. SSAI technology is widely used in the industry, and given the high CPM rates paid for ads shown to smart TV users, it is likely that other groups will soon try to imitate ICEBUCKET’s tactics.

Leave a Reply