ICEBUCKET group mimicked smart TVs to steal ad money

White Ops: The ICEBUCKET operation is the largest case of SSAI spoofing that has been uncovered to date.
Written by Catalin Cimpanu, Contributor
set-top box, remote control, smart TV

Cybersecurity firm and bot detection platform White Ops has discovered a massive online fraud operation that for the past few months has been mimicking smart TVs to fool online advertisers and gain unearned profits from online ads.

White Ops has named this operation ICEBUCKET and has described it as "the largest case of SSAI spoofing" known to date.

According to a report published today and shared with ZDNet, the ICEBUCKET group operated by abusing the Server-Side Ad Insertion (SSAI) technology.

Online advertisers use SSAI servers as an intermediary between their ad platforms and end-users. SSAI servers work by sending ads to apps running on consumers' devices. These devices can be computers, smartphones, tablets, smart TVs, streaming boxes, and Chromecast-like devices.

SSAI servers are popular today because they don't hinder an app's code and allow advertisers to control ads shown on consumer devices in real-time.

Image: White Ops

But White Ops researchers say that the ICEBUCKET group has discovered weaknesses in the SSAI server communications mechanism.

For the past months, the gang has been using this weakness to connect to SSAI servers and request ads to show on non-existing devices.

Because CPMs (cost per 1000 impressions) rates paid for ads displayed on smart TVs and other connected TV devices are higher than others, the ICEBUCKET group focused most of its efforts on spoofing these two types of devices.

White Ops says ICEBUCKET primarily spoofed CTV (Connected TV) devices, such as Roku streaming units, Samsung Tizen smart TVs, the now-defunct GoogleTV, and Android-based streaming devices.

Image: White Ops

White Ops says ICEBUCKET spoofed more than 1,000 different device types (user-agents) using more than 2 million IP addresses located across more than 30 countries. Most of the bad traffic came from smart TVs located in the US, the company said.

At its peak in January, White Ops says the ICEBUCKET gang generated around 1.9 billion ad requests to SSAI servers per day.

The operation was so large that almost two-thirds of the CTV SSAI ad traffic in the month of January 2020 came from non-existing devices that were set up by the ICEBUCKET crew.

Unclear who is behind the ICEBUCKET

Furthermore, the ICEBUCKET gang used more than 300 app identifiers to request the ad traffic on behalf of the non-existent devices. These app IDs are the apps and financial mechanisms through which the group collected their ill-gotten ad profits.

However, at the time of writing, the investigation into the ICEBUCKET gang is still ongoing.

White Ops says it hasn't yet been able to tell if the ICEBUCKET gang operated the 300 app IDs by itself, or if the gang operated only a small number of these, and sent fake ad traffic to other apps to hide their tracks.

There is also a second possibility that ICEBUCKET is running a Fraud-as-a-Service platform that allows app developers to order fake "ad displays" for their apps, to make a profit.

"At this point, we cannot make a conclusive determination between these two possibilities. There is the possibility that both of these options could be at play, depending on the particular subset of the
traffic in question," the White Ops team said.

Going forward, White Ops experts believe campaigns similar to ICEBUCKET will multiply. The primary reasons are that SSAI is widely used across the industry, opening the door for broad abuse, and because the high CPMs rates paid for smart TVs users will most likely also attract ICEBUCKET copycats.

Europol’s top hacking ring takedowns

Editorial standards