Ad verification company DoubleVerify recently shut down a new type of scheme in connected TV that uses screensavers to hijack streaming devices in order to generate fake ad impressions – even when the screen is off.
DoubleVerify estimates that the scam, dubbed “SmokeScreen,” is bilking advertisers out of more than $6 million a month and shows how fraudsters are becoming more sophisticated.
The latest scheme was uncovered in April and differs from previous multimillion-dollar “spoofing” scams that DoubleVerify and other ad verification providers have shut down in recent years. Most of those fraud schemes used server-side ad insertion to generate fake CTV inventory across a large number of apps, IP addresses and devices.
The bot-based SmokeScreen scam ran various fraudulent screensaver apps, primarily targeting those with external CTV devices, the kind manufactured by companies such as Amazon and Roku (DoubleVerify declined to name specific devices that were impacted).
Once downloaded by users – who are unaware the screensavers are being used to run bogus traffic – the app continuously generates multiple fake ad requests to exchanges.
“You turn off your television and it just continues to request ads,” Jack Smith, DoubleVerify’s chief product officer, told AdExchanger, adding that the scheme dupes advertisers, publishers and the platform.
SmokeScreen scammers created multiple selling accounts to hide their activity. The fake impressions also appeared as if they originated from premium CTV apps, or spoofing, which ultimately siphoned revenue away from publishers and bilked advertisers out of ad spend.
Assuming an average $20 CPM, DoubleVerify estimates that from April to May, the scam impacted about 10,000 CTV devices and generated more than 300 million ad requests worth more than $6 million.
DoubleVerify blocked the activity on May 23 after observing odd patterns of pre-bid impression requests, mainly that they were being generated overnight, between 12 a.m. and 5 a.m., when traffic typically decreases because most people are not watching TV and screens are off.
“Normally you’d think that a screensaver would be more active at night,” Smith said. “But when we started looking at the data for these kinds of apps, what we saw was that the number of impressions being requested were fairly constant, which makes no sense. To us it was new, but it became fairly obvious because the normal device patterns didn’t match.”
Additionally, the volume of impressions coming from hijacked devices throughout May was three times higher than authentic traffic on devices that weren’t compromised.
Even after DoubleVerify blocked the scam for its clients, the company noticed that the operation seemingly “doubled down” on its attempt to dupe advertisers – the number of ad requests significantly increased and are still being generated.
“They probably recognized that they weren’t making as much money and decided to generate more fake impressions because we shut it down,” he said.
DoubleVerify uncovered the invalid traffic because it evaluates whether pre-bid ad requests made by video players are fraudulent and sends the information to DSPs, Smith said.
“We’ll see the request, but we won’t bid on it,” he said, adding that DoubleVerify updates a list of fraudulent apps 100 times a day. “And in some cases, if for whatever reason it sneaks through, we have the ability to filter out and block in CTV environments – we have a secondary layer of protection there.”
Smith added that it was unclear how long SmokeScreen had been running before DoubleVerify shut the scheme down. Some scams are blocked within hours or days of being identified. DoubleVerify said its video filtering tool played a critical role in detecting SmokeScreen impressions early.
“As soon as we recognize the scheme, we shut it down,” Smith said.
A recent report by DoubleVerify found that post-bid fraud and sophisticated invalid traffic rates were down 30% year-over-year, from 2% to 1.4% across desktop, mobile app, mobile web and CTV.
Speaking on the company’s Q2 earnings call on July 29, CEO Mark Zagorski said that while fraud rates decreased, there’s still a significant amount of fraud – and it continues to evolve in CTV.
Fraudulent apps are becoming more common in the space, he added, often appearing to look “totally innocuous” and even including legitimate content.
“The interesting thing about this type of fraud is we saw this earlier in mobile,” Zagorski told investors. “Every new device spurs a new type of fraud.”
