The CTV Fraud Arms Race is Escalating

12 January, 2021 

When VAN asked two years ago whether the ad industry was winning the war against fraud, CTV was identified as being fertile new ground for fraudsters.

Now, with CTV viewing booming, fraud has also risen as fraudsters exploit relatively weak protections in search of CTV’s high CPMs. Media verification company DoubleVerify found last year that CTV’s fraud rate increased by 73 percent, and there was a 225 percent increase in fraudulent traffic, due mainly to overall CTV traffic increasing.

We’ve also seen a number of large-scale CTV fraud operations uncovered in the past few years including ICEBUCKET, DiCaprio, and Monarch. Just last month, Oracle discovered and shut down StreamScam, which is claimed was the largest CTV ad fraud scheme in history.

Some, like cybersecurity and anti-fraud consultant Dr. Augustine Fou, believe the frequency with which these schemes are being uncovered shows that the problem is getting worse.

Fou says that the growth in ad spend on CTV, CTV’s high prices, and lax protections on CTV devices create a “perfect storm” for fraudsters. “In CTV, there’s less fraud detection available, because CTV devices don’t have full browsers and so cannot run the javascript tags which are used by fraud detection companies to pick up fraud and bots,” he said.

Fou added that growth in viewing figures in CTV environments during the pandemic has provided cover for fraudsters, making artificially inflated impression counts look more plausible.

Others working in the space say that while fraudsters certainly are gravitating towards CTV, tempted by high CPMs, the industry is getting better at detecting and shutting down illicit schemes.

Tanzil Bukhari, managing director, EMEA at DoubleVerify, believes the industry is heading in the right direction.

“I do think we understand CTV fraud and how to fight it better than we did, but we’re still in the early stages,” he said. “Transparency in CTV is very limited, and spoofing impressions on reputable apps is quite easy compared to digital environments.”

Bukhari added that one area of improvement has been levels of awareness around the issue. “I think the first thing that we’ve seen is that more people are asking about CTV fraud and are aware that it’s important to deal with,” he said. “If you go back a few years, many people would have just said that since CTV hadn’t really scaled yet, it wasn’t that big of a concern. But that’s changing now.”

Attack and defence are both maturing

Joe Tallett, senior detection engineer at fraud detection company White Ops, said that over the past few years we’ve seen increased sophistication in both fraud detection, and the techniques used by fraudsters themselves.

“For me, it feels like we’re on the curve towards maturity on both the attack and the defence side,” he said. “Some of the big attacks you’d have heard about two years ago were very unsophisticated, and they would still work. Now fraudsters are upping their game in tandem to us, and attacks tend to be pretty sophisticated and well funded nowadays. But I think overall we’re doing a better job now, we have a feel for the size of the problem and we find attacks quite promptly.”

Bukhari agreed that successful fraud schemes tend to be more complex now than they were in the past.

“We’ve seen recent schemes like LeoTerra (a CTV fraud scheme uncovered by DoubleVerify last month), which have demonstrated the need to keep an eye on how fraudsters are adapting,” he said. “The behaviour that schemes like LeoTerra exhibit can change literally from one impression to the next. Recognising those changes so we can detect those schemes is an ongoing challenge.”

There are still, as Fou suggested, inherent vulnerabilities in tech used for CTV ad delivery.

Server-side ad insertion (SSAI), commonly used in CTV thanks to its ability to provide seamless, TV-like ad transitions, is hard for anti-fraud companies to grapple with according to White Ops’ Tallett.

“With SSAI, you effectively have to trust an SSAI server,” he said. “The SSAI server says to the ad vendor or buyer, ‘We’ve got a device here, we’re not going to connect it directly to your servers, but here’s some information about the device’. We never get any on-device signal collection capability, which makes things quite difficult.”

Malicious SSAI ad servers are therefore able to quite easily spoof devices to create artificial impressions.

Bukhari added that CTV environments’ heavy use of the VAST standard for ad delivery means they’re also less well protected. “When it comes to video, VPAID (a newer standard for ad delivery) has added a lot of extra protection and transparency in that space,” he said. “But the majority of environments that CTV runs on use VAST, so that same level of detail and granularity isn’t there. But you can work around that, and we recently released a set of solutions to provide more detail in VAST environments as well as in VPAID.”

Time for buyers to take control

As these technological weaknesses are ironed out, both Bukhari and Tallett believe the industry is well placed to get a firm handle on CTV fraud, increasing buyers’ confidence in the space.

Escalation of both attacks and defences against fraud might make the war against fraud seem like an unending battle. But as defences improve, the costs for fraudsters go up, meaning fewer bad actors actually have the resources to run fraud operations.

Joe Tallett pointed to progress made in the display space. “If you look at 3ve (a massive bot operation uncovered by Google and White Ops in 2018), that was a multi-year team project with significant investment. Those sorts of schemes require more sophisticated defences. But they also show the lengths fraudsters have to go to, and how you can make ad fraud much more niche and costly.”

Bukhari added that the industry is well placed to get on top of the issue while CTV’s scale is still relatively small in EMEA, and that buyers should feel confident so long as they make sure they work directly with the right suppliers and vendors.

One buyer already taking this approach is Publicis Media. Emma Morris, head of investment and managing partner at Publicis-owned media agency Starcom UK, said her company has set up its own certification process to identify trustworthy suppliers. “New or old, we’ll only use suppliers that are Publicis Verified,” she said. “Publicis Verified is our certification process that indicates a vendor has met what we believe to be industry leading standards for brand safety, ad fraud, consumer privacy and client data protection.”

Morris said that taking this approach means Publicis feels comfortable ramping up investment in CTV advertising. It has also helped the agency understand some of the nuances in how inventory may sometimes appear fraudulent when it’s actually legitimate.

“In the UK a large proportion of CTV inventory is supplied/sourced from UK broadcasters such as ITV and Channel 4 who have a very strong user login setup to ensure fraudulent views are eradicated,” she said. “For the new suppliers available to advertisers that do not have the BVOD heritage of users and/or infrastructure, [the threat of fraud] is not necessarily slowing down our investment. We’ve learnt by working with them that a large amount of suspected ‘fraud’ is actually the result of a lack of a device ID due to GDPR restrictions (the result of the providers being compliant with GDPR and therefore the details of the audience cannot be shared) and/or just the general setup of smart TVs and the way that consumers log into them.”


About the Author:

Go to Top