Smart TV with featured apps on android television screen showing CTV botnets committing ad fraud

HUMAN, Google, Roku, and Others Uncover a Sophisticated Ad Fraud Campaign Involving CTV Botnets

HUMAN’s Satori Threat Intelligence and Research Team discovered a massive sophisticated operation to defraud the connected TV (CTV) advertising ecosystem.

The ad fraud operation involved the use of PARETO CTV Botnets to impersonate millions of people watching ads. Its name was derived from the Pareto economic principle stating that 80% of impact originates from 20% of the actors.

HUMAN, (formerly White Ops) collaborated with The Human Collective comprising of Omnicom Media Group, The Trade Desk, and Magnite, and key CTV industry players such as Google and Roku.

Ad fraud deployed millions of CTV botnets to impersonate human audience

The threat actors behind PARETO tricked the technology firms and advertisers into believing that their ads were shown on CTVs.

They deployed nearly one million infected mobile Android devices pretending to be millions of connected TV users interacting with the ads. They targeted CTV products running Fire OS, tvOS, Roku OS, and other popular CTV platforms.

Coincidentally, Roku said it detected a small ad fraud operation linked to the CTV botnets belonging to one developer on Roku’s Channel Store. The apps communicated with the command-and-control (C2) server controlling the PARETO CTV botnets. The ad fraud operation involved about 29 infected apps and affected less than 0.5% of active Roku devices globally.

“In short, PARETO is nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices,” the report authors said. “The botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.”

Ad fraud operation shows deep understanding of adtech

HUMAN Chief Scientist Michael McNally said the most striking characteristic of the ad fraud operation was that the threat actors behind PARETO CTV botnets had a deep understanding of the aspects of advertising technology.

McNally added that the threat actors used their extensive knowledge to their advantage to hide their work within the CTV ecosystem. They also exploited the noise caused by increased web traffic during the pandemic.

They also applied sophisticated techniques such as low-level network protocol spoofing to avoid detection, according to the report.

HUMAN CEO and Co-Founder Tamer Hassan said brands should join forces to ensure ad fraud was recognized and eliminated to protect the CTV advertising supply chain.

Google and Roku removed the CTV botnets from their platforms and disconnected their services after the discovery. They also alerted their customers of the ad fraud campaign and advised them to avoid buying from unreliable suppliers.

“Finally, after a year of this continuous and effective threat identification and resolution, and driven by a sequence of countermeasures and PARETO adaptations, HUMAN and its partners—including Omnicom Media Group, The Trade Desk, Magnite, Google, and Roku—disrupted the operation,” the report said.

DoubleVerify also uncovered another ad fraud campaign involving OctoBot and multiple variants such as SneakyTerra and MultiTerra CTV botnets.

OctoBot made about $1 million per month in ad impressions, while SneakyTerra raked about $5 million.

Ads on CTVs are always priced higher than those published on other advertising platforms such as mobile or web. Given the lifetime of the ad fraud campaign, the total loses incurred from the operation could amount to billions.