Ad verification company DoubleVerify has uncovered a massive CTV ad fraud scheme that was on track to bilk advertisers and publishers out of $30 million to $50 million in ad spend.
The scam, dubbed “ParrotTerra,” used server-side ad insertion to generate fake CTV inventory across a large number of apps, IPs and devices, spoofing 3.7 million devices and 2.7 million IP addresses per day.
SSAI technology combines content and ads into a single video stream to enable seamless playback on OTT devices, such as Roku, Apple TV and Fire TV.
The ParrotTerra scheme essentially tricked advertisers into paying for ads that were never actually seen in households.
“The ads and video stream are stitched together before it’s delivered and there’s no opportunity to easily evaluate who’s on the other side of the ad request,” said Jack Smith, DoubleVerify’s chief product officer in charge of demand solutions.
DoubleVerify identified the scam about a month ago and has since blocked the fraudulent activity before any companies were compromised, Smith said.
It was, however, the largest SSAI scheme since “StreamScam” in December, which spoofed more than 28.8 million US household IP addresses, including approximately 3,600 apps and 3,400 unique CTV device models. Oracle’s Moat identified and shut down that particular scam, which cost advertisers and publishers $14.5 million.
ParrotTerra, by comparison, was three times the size of StreamScam.
Anatomy of a CTV scam
Smith said that CTV fraud has been on the rise as more ad dollars flow into streaming. CTV fraud impressions more than tripled in 2020, up by 220% from the year before. Because there is little transparency in CTV, where CPMs can be upwards of $20, according to eMarketer, the schemes are becoming increasingly sophisticated, Smith said, as fraudsters look to cash in.
AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.
Daily Roundup
According to DoubleVerify, CTV schemes usually take place in three phases. First, fraudsters gather IP addresses or app bundle IDs. Second, they copy these details to mask their activity from being detected. And third, they use the spoofed details of legitimate users to send fraudulent ad requests.
Most of the fraud consists of bots on servers and impacts a range of inventory, Smith said. The scams, for example, are not specific to older TV models running new software that the devices may not be able to support.
“It’s really siphoning money away from good publishers across the spectrum – it could be large-scale publishers or small-scale [or] very niche publishers,” Smith said. “It doesn’t matter to the fraudsters. They want to attack every point in the value chain and the supply chain. If you’re a fraudster you want to try and cast the widest net.”
The problem is real
Though some have said that reports of fraudulent activity in CTV are often skewed to make the problem appear larger than it actually is, DoubleVerify says that ParrotTerra demonstrated how fraudsters are evolving.
Traditionally, SSAI schemes have generated impressions at a relatively slow and steady pace, Smith said. ParrotTerra, however, began testing its manipulation on a smaller scale before shortly thereafter progressing into high volumes.
“With ParrotTerra, there’s a sandbox where the fraudsters are kind of testing the waters to figure out what can immediately be detected and what can’t,” Smith said. “What was unique about ParrotTerra was that they scaled it rapidly. What we’re trying to do is … detect it in a sandbox before it starts to scale and start blocking it and removing it from traffic.”
DoubleVerify identified its first big SSAI ad fraud scheme in 2018, dubbed “Colorius,” which involved more than 400 fake SSAI servers that generated millions of falsified impressions. Since then, DoubleVerify has uncovered at least eight different schemes, including “LeoTerra” in July 2020, which resurrected itself as “StreamScam” five months later when it was identified by Oracle.
LeoTerra went through multiple phases through 2020. It started out targeting CTV devices only before changing its underlying behavior to evade detection. Eventually, it shifted to mobile apps after being shut down twice by DoubleVerify across CTV environments. ParrotTerra was spoofing 35% more apps than LeoTerra at its peak.
“Fraudsters are learning how to evolve their technology much like you would as a regular technology company that licenses one product and releases a version two, three or four,” Smith said. “And as that product goes along it gets much more sophisticated – we’re seeing technology development and product management happen within fraud.”
