DoubleVerify shuts down million-dollar CTV and mobile fraud scheme

DoubleVerify has quashed an "aggresive" connected TV and mobile fraud scheme that at its peak faked more than 3 million impressions a day and was on track to steal an estimated US$1 million per month in advertising inventory.

The botnet, called 'MultiTerra', created fraudulent inventory on mobile and CTV environments and leveraged stolen IP addresses to generate fake impressions.

The botnet siphoned media investment into its fraudulent inventory and hijacked existing IP addresses to artificially inflate impressions. It employed several user agents per IP to generate the impressions very quickly—then rotated them out and replaced them with new user agents. In just 20 minutes, a single IP in the botnet impersonated 16 different iPhone and Android phones, requesting nearly 50 impressions to at least nine different apps.

The fraud scheme was designed to leverage a high volume of impressions in a short span of time—as opposed to other fraud schemes that are designed to have a longer shelf life.

It generated more than 3 million fake impressions a day at its peak in CTV and mobile environments. If left undetected, the inventory value of the impression requests generated by MultiTerra was on track to reach over $1 million per month, according to DoubleVerify data.

The unusual traffic was first flagged by DoubleVerify’s machine-learning algorithms, which analyse billions of ad impressions daily. The Fraud Lab team then created an algorithm that detected and captured these IP addresses less than an hour after they had been taken over by fraudsters.

But the fraudsters behind 'MultiTerra' employed multiple techniques to evade detection, such as ensuring that each fake user was sufficiently “dressed-up” with the right properties to make it appear innocent, and changing its behavioral patterns every few days.

While DoubleVerify was able to track and block the botnet as it moved between IPs, within a few days  'MultiTerra' began changing its underlying behavior.

In its report on the fraud scheme, DoubleVerify noted that "this has happened with botnets before, but in this instance it was much faster and even more drastic".

After several weeks of cat-and-mouse, in which the botnet transformed twice to evade DoubleVerify's blocks, the scheme eventually shut down—50 days after it was first detected.

Connected TV is one of the channels that has been boosted during Covid-19 as consumers spend more time at home. For example, major DSP The Trade Desk reported a 40% year-on-year increase in CTV spend in Q2, more than double the growth of other channels like mobile and audio. Since fraud follows the money, it has also become a major focus for many fraud-detection firms over the past year.

In a recent report, DoubleVerify found CTV to record the highest volumes of fraud of any device, with  fraudulent CTV traffic rates increasing by 161% in Q1 2020 compared with the same period the previous year. Since March 2019, DoubleVerify has identified 1,300 fraudulent CTV apps—60% of which it discovered in 2020.

In April, cybersecurity and ad verification firm White Ops uncovered what at the time was said to be the largest-ever connected TV fraud operation in history, affecting more than 300 publishers and millions of dollars in ad spend. The ad fraud operation, named Icebucket, spoofed at least 2 million IP addresses from over 30 countries, and at one point accounted for nearly 28% of the total programmatic CTV traffic White Ops had visibility into—equivalent to around 1.9 billion ad requests per day.

In January, DoubleVerify launched what it claimed was the industry’s first connected TV targeting certification, in which it certifies programmatic partners that have demonstrated the ability to prevent fraud and invalid traffic within the CTV space. In order to be certified for CTV targeting, an adtech provider must apply DoubleVerify’s pre-bid app and device fraud protection for CTV inventory transactions.

(This article first appeared on CampaignAsia.com)