Ad measurement and verification company Method Media Intelligence uncovered a connected TV fraud scheme that it says rakes in $10 million a month in ad revenue.
The scheme, dubbed “RapidFire,” feeds counterfeit bid requests into ad exchanges running open auctions for CTV inventory.
Like many multimillion video fraud scams, RapidFire targets server-side ad insertion (SSAI) as a means to “spoof” CTV inventory across a large number of apps, IP addresses and devices.
The company estimated that the scheme is costing advertisers $20 million a month – when factoring in fees and other transactional costs – and is more widespread than the bot-based scams that have made headlines in recent years.
MMI said the scam illustrates how larger, more sophisticated networks based in the United States can transact fake traffic rather than scammers based out of Eastern Europe that have been singled out by law enforcement, such as Methbot, a Russian fraud ring that bilked advertisers out of $7 million.
“The way that this is deviating from that Russian hacker narrative, it’s that this is literally not something that’s happening in the shadows – these people are doing it out in the open,” said MMI marketing strategist Jenny Wilkins, adding that fake traffic is even being solicited on LinkedIn.
Unlike most SSAI spoofing scams, RapidFire doesn’t rely on bots or fake apps to generate bogus inventory. Rather, the fraudsters use basic automation tools, in this case a Python script, to generate bid requests in a JSON format – a template used to initiate auctions – across multiple SSPs.
“You don’t need a bot that is actually loading apps and playing content until ad breaks initiate,” said Shailin Dhar, CEO and founder of MMI. “It’s more efficient for the operators and far more scalable [than bot-based attacks], which poses a larger threat to advertisers. Essentially, it’s like this is a software that lets you design the perfect counterfeit currency note from your computer.”
MMI first identified the scam – which is still operating – late last year and released a report on Monday detailing the scheme’s scope. It consists of a five-member team of former ad tech professionals based overseas who are running an ad network that MMI dubbed HyperCast.
The fraudsters set up a registered corporate entity in Nevada – operating as a seemingly legitimate company. The business sends bogus requests to ad exchanges using real-time bidding (RTB).
MMI declined to disclose the name of the company or say where it was based, but said it is one of many similar operations using this type of fraud.
“It’s another ad network with a seat on exchanges, and they have been around for years, just being an aggregator of various publishers,” Dhar said. “Their goal is to source traffic for as cheap as possible and sell it for as high as possible without losing money. They’re making [fake] impressions available for sale. I would say that the biggest flag for exchanges/SSPs to watch for are sellers with fill rates below 10%.”
Another area where buyers should exercise caution is with impressions served via server-side ad insertion (SSAI). In order to enable seamless playback on OTT devices, such as Roku, Apple TV and Fire TV, the method combines content and ads into a single video stream. Because advertisers have to trust that the server is forwarding the correct data, including device IDs, app info, and IP addresses, fraud is difficult to measure in SSAI.
Buyers are unable to discern a fake bid request from a legitimate one, Dhar said, because they can’t measure or authenticate those requests after they leave an SSAI server, leaving the bad actors to trick advertisers into paying for ads that are never actually seen.
“Typical things that people use to track invalid or sophisticated traffic, a lot of that information is missing when you’re interacting with just a server,” said Shailley Singh, SVP of product management at the IAB Tech Lab, who added that such red flags are difficult for verification providers to immediately identify unless they’re integrated with a server. “You’re dependent on whatever the server is telling you and basically relying on whatever is coming in is true, and you’re responding to that. The advertiser is blind to a lot of information that they typically get when the interaction is client-side.”
Traditional verification methods, MMI claims, have largely been unable to detect scams like RapidFire because they’re relying on IP addresses to detect invalid activity in the bid stream.
MMI called on the industry to move away from relying solely on IP addresses to ensure measurement in CTV. MMI said there has also been a lack of enforcement among DSPs of the IAB Tech Lab’s app-ads.txt tool – aimed at reducing fraudulent in-app inventory in CTV by declaring authorized sellers – due to slow adoption by sellers.
“The DSP is where most verification is done, and so you only really have things like an IP address or app name for a user agent to be able to do verification on,” Dhar said.
CTV ad spend is expected to jump 12% to $14 million next year, according to eMarketer, while programmatic spend is expected to climb more than 28% to $8.7 billion in 2022.
As ad dollars continue to flow into the space, MMI said that fraud has become pervasive and estimates that 50% of all RTB requests in CTV are counterfeit.
Some challenged the report’s findings.
Rob Aksman, president and co-founder of BrightLine, a CTV ad solution and measurement provider, said that RTB represents a very small portion of CTV buys. Most CTV inventory is bought directly, while programmatic buys are mainly done through private marketplace (PMP) deals.
“I continue to believe the threat here is overblown, as it is constrained mostly to just open RTB,” Aksman said. “The largest agencies are very careful about this, securing premium inventory and making it available in PMPs.”
Michael McNally, chief technology officer for cybersecurity company Human, estimated that the fraud rate for CTV in programmatic overall is only about 20%, adding that most suppliers provide a level of client-side transparency, including in RTB and PMP.
“That’s an extraordinary claim – a very bold claim,” said McNally. “What they’re describing is only a portion [of RTB] that lacks client-side telemetry where you have an SSAI server that doesn’t know anything about a device playing the ads.”
Human worked with investigators to take down the Methbot scam, which led to the conviction of self-proclaimed “King of Fraud” Aleksandr Zhukov in May. McNally added that some of the multimillion dollar scams Human shut down also operated “fairly” openly with front companies.
Integral Ad Science also disputed MMI’s findings. “To say that 50% of CTV traffic available in exchange is counterfeit is not something we have seen due to the ever-evolving work we do to stay up to date and prevent future fraud,” said Chief Marketing Officer Tony Marlow.
And while BrightLine’s Aksman agreed that current verification approaches are insufficient in CTV, he disagreed that verification providers are only looking at IP addresses to authenticate traffic.
“There are specs and standards in place for ensuring that the required data parameters of the device are passed through, and any measurement vendor worth their salt would know to look for this,” he said. “That said, this is a spot where bad actors can make a play.”