Oracle Uncovers Large CTV Ad Fraud Operation

oracle uncovers large ctv ad fraud operation

Enterprise tech giant Oracle said it shut down the largest ad fraud scam in the connected TV space that bilked advertisers and publishers out of $14.5 million in ad spending.

Oracle Moat – the company’s business that provides measurement and ad verification solutions across digital and TV – said the fraudsters exploited flaws in CTV ad serving technology to fool advertisers into paying for ads that were never actually seen in households.

The scam, dubbed “StreamScam,” spoofed more than 28.8 million US household IP addresses, including approximately 3,600 apps and 3,400 unique CTV device models. Oracle called it the largest CTV bot attack since ICEBUCKET in April, which involved 2 million spoofed household IP addresses, 300 app IDs and 1,000 CTV device IDs.

StreamScam took advantage of vulnerabilities in Server-Side Ad Insertion technology, which combines content and ads into a single video stream. That process enables seamless playback on devices such as Roku, Apple TV and Fire TV.

With advertisers funneling more ad dollars into streaming TV space, a shift fueled by the COVID-19 pandemic, Mark Kopera, head of product for Oracle Moat, said that scammers are following the money and the space is creating new opportunities for ad fraud. In 2020, CTV ad spending in the United States will total $8.1 billion and increase to $11.4 billion in 2021, according to eMarketer.

Kopera said Oracle Moat first noticed the suspicious activity, or “spoofing,” over the summer, in its overall CTV measurement footprint. The scam exploited the Server-Side Ad Insertion technology, which stitches a program’s content and ads into a single stream, preventing any hiccups when a show cuts to a commercial and back. Likewise, Kopera explained, notifications to measurement providers also come from the servers. But without careful detection, Kopera said it’s possible for a fraudster to insinuate itself as an SSAI server, without actually having CTV content.

oracle uncovers large ctv ad fraud operation

In ad requests and pixel fires that companies such as Moat measure in CTV, Kopera said there’s an opportunity to declare on which app and devices the ad is running.

“[Fraudsters are] making up values, generating values and putting them in those pixels or ad requests,” he said. “That’s what spoofing an app is – it’s just generating server traffic and saying it’s from an app that’s it’s not.”

Unlike the DrainerBot mobile ad fraud scam Oracle uncovered last year – which distributed through millions of downloads of infected consumer apps – Kopera said that StreamScam consisted only of bots on servers.

“There was no content streaming, there was no CTV devices involved, no ads delivered at all, it was just all completely fake,” he said.

Uncovering the scam

Oracle uncovered the scam by using Moat technology, which tallies the number of ad impressions that are inserted into video streams by SSAI servers as well as the number of ad impressions that actually play on end-user devices.

“We noticed strange distributions of the make, models and versions, more older devices than you would expect or more older operating system versions that you would expect,” Kopera said.

The scammers built a network of servers impersonating SSAI tech that sent ad impression events to Moat and advertisers without actually sending ad and video content to users. The fraudsters forged household IP addresses, app IDs, and device IDs in the measurement events to make it appear that ads had played in those environments.

“The servers generated false ad requests,” Kopera said. “In the end, they convinced advertisers to bid on them, and took budgets away from both advertisers and publishers whose apps were spoofed.”

Based on CTV impression volumes, Oracle estimated that $14.5 million was stolen over four months. Kopera declined to name the companies that were impacted.

When asked what sort of inventory is most at risk for fraud, and whether spoofing could hit premium services such as Hulu or Peacock, Kopera said it had little to do with the app itself.

“The nature of app spoofing is that they can declare any app that they want – content is not actually running on any apps – they’re just simulating ad requests from an app,” he said. “That does mean that it’s typically something that happens within the programmatic supply chain as opposed to direct buys on the apps themselves.”

Is CTV fraud actually a big deal?

Tru Optik CEO Andre Swanston, however, said in an email that reports of fraudulent activity are often skewed “to make the problem sound bigger than it actually is.”

He said that CTV is overwhelmingly bought direct or through private marketplaces, and that by using audience targeting and measurement data that maps back to verified households and devices, advertisers are able to mitigate many of the tactics commonly attempted by scams.

“While attempted fraud in streaming is inevitable, it is currently a minute fraction of CTV inventory,” he said. “Reports of fraudulent activity typically reference open exchange traffic, where a very limited portion of transactions take place and where less savvy advertisers are attracted by low-priced inventory.”

Still, Kopera said that the threats in the CTV space are very real, particularly because it’s normal for valid CTV impressions, or valid CTV ad measurements, to come through the server side. Moat’s investment in research to improve CTV measurement and detect sophisticated ad fraud, he added, enabled it to identify the fake impressions and classify them as invalid.

“You have to build out specific detection that’s able to accurately work within this new environment that is a little bit different than what we’ve done previously in app or in browser, where you are in the browser or in the device,” he said.

He added the industry must develop standards and collaborate, citing IAB Tech Lab’s recent launch of its (ads.txt) specification and its mobile app counterpart (app-ads.txt) to address transparency and anti-fraud for CTV and OTT.

TAG and Oracle are set to hold an industry briefing in January 2021, where TAG members will receive access to actionable information from Moat to help identify StreamScam in their data and avoid campaign fraud “so they can apply that knowledge within their own footprint so the whole industry becomes protected,” Kopera said.