DoubleVerify uncovers another record-breaking CTV fraud scheme

CTV (connected TV) continues to be a lucrative target for fraudsters. In January, DoubleVerify identified and blocked what it says is the biggest CTV fraud scheme to date—which operated a network of spoofed devices and IPs that was triple the size of the next biggest scheme the company has witnessed.

The operation, which DoubleVerify has called 'ParrotTerra', was facilitated through server-side ad insertion (SSAI) technology, in which ads are "stitched" into a piece of video content.

Fraudsters have found ways to dupe the SSAI server that is responsible for both putting out ad requests to fill the ad breaks and reporting on metrics to the buy-side, by spoofing CTV devices and generating fake traffic. In a typical SSAI fraud scheme, the fraudster spoofs legitimate devices and apps and use the spoofed details to send fraudulent ad requests into the ecosystem.

DoubleVerify identified its first large-scale SSAI ad fraud scheme, dubbed 'Colorius', in 2018. Since then, it said it has uncovered "at least" eight additional SSAI fraud schemes, each larger than the last. CTV is an attractive target for fraudsters due to its high CPMs, typically upwards of US$20, according to Emarketer estimates.

'ParrotTerra', like other SSAI schemes, worked by generating fake CTV inventory across countless apps, IPs and devices. It was spoofing 3.7 million device signatures and 2.7 million IP addresses each day before it was blocked. DoubleVerify said that ParrotTerra could have defrauded advertisers and publishers of "millions of dollars" if left undetected.

This is three times the size of the daily operation of 'LeoTerra', which previously held the title as the biggest CTV fraud scheme DoubleVerify had identified. 'LeoTerra' was first identified by DoubleVerify in July 2020 and later resurged in December 2020, when it was identified by Oracle Moat. Oracle said the scam spoofed more than 28.8 million US household IP addresses, including approximately 3,600 apps and 3,400 unique CTV device models. 'LeoTerra' has morphed multiple times to evade blocking—DoubleVerify identified a total of five variants over the past six months, including two in January.

Where 'LeoTerra' maintained a steady impression volume as it went through its mutations, the newer 'ParrotTerra' exhibited different behaviour. It began by testing its manipulation on a smaller scale before rapidly progressing into high volumes. DoubleVerify said the change in behaviour shows that SSAI fraud schemes are now looking to act quickly to siphon as much ad money as possible before being shut down.

Before 'LeoTerra', cybersecurity and ad verification firm White Ops uncovered what they reported at the time was the largest-ever connected-TV fraud operation in April last year. 'Icebucket' counterfeited more than 300 different publishers and spoofed at least 2 million IP addresses from over 30 countries. At its peak, it generated around 1.9 billion ad requests per day.

CTV fraud impressions more than tripled (220% increase) in 2020 versus 2019, according to DoubleVerify's data.