Connected TV Bot Attack Uses Millions of Fake Customers to Trick Companies

Security researchers have discovered a unique and massive campaign aimed at defrauding companies by tricking them into paying for advertisement delivered through connected TV (CTV).

CTV is not a top-of-mind topic for people concerned with hackers, bots, or any other type of criminal activity. In fact, CTV is more likely off people’s radar entirely. But it’s a large and powerful advertising market, and that makes it a prime target for criminals.

At this point, you’re wondering how CTV works. Basically, any smart TV that connects to the Internet is part of this connected TV network. Many users dropped their cable or satellite subscriptions and chose to use their TVs only through an online connection. While some streaming services such as Amazon Prime and Netflix have no commercials, some streaming services, especially for Live TV, can be used to deploy ads.

Determining what kind of ads are deployed to TV is the job of advertisers. Companies that want to showcase their products on those smart TVs will deal directly with advertisers, who already know the profile of the users. The entire process is automated through a Server-Side Ad Insertion (SSAI) process. And that’s where the attacks inserted themselves, by tricking companies into believing they are a real SSAI provider by using a complex network of bots that mimicked real users.

“The White Ops Satori team recently uncovered the largest and widest Connected TV (CTV) related fraud operation to date. At its peak, the ICEBUCKET bot operation impersonated more than 2 million people in over 30 countries,” said the security researchers.

“The operation counterfeited over 300 different publishers, stealing advertising spend by tricking advertisers into thinking there were real people on the other side of the screen, when in reality, these were bots pretending to be real people watching TV.”

The height of the operation, throughout January, saw about 1.9 billion ad requests per day from this single fraudulent operation. The criminals used around 1,000 user-agents (identification of connected platforms), 300 appIDs from various publishers, and around 2 million spoofed IPs from more than 30+ countries, although approximately 99% were in the United States. The reason for the location is simple – US devices would bring in more money.

While much of this operation was closed, there are still bots in operation at any given time, as new ones are always coming online.