Private Relay used to commit Ad Fraud?
source: own elaboration
Private Relay is an additional feature included with iCloud+ subscription that allows you to hide activity in Safari browser not only from website owners, but even from your Internet Service Provider. Although it was designed to protect the identity of Apple device users and ensure their privacy, according to a study conducted by Pixalate and described on gizmodo.com, it is also used by fraudsters to carry out ad frauds on a large scale.
How does Private Relay work?
Private Relay uses two separate relays - the first one belongs to Apple and allows encrypting the DNS request, while the second one is operated by a third party - its task is to decrypt the DNS request, generate a temporary IP address for the Private Relay user from a list of potential IP addresses that are reserved for this purpose (Apple publishes this list online) and finally connect the user to the requested site. The data is divided, encrypted and anonymized, thanks to which the identity and activity of the Internet user in the Safari browser remains unknown to anyone. According to Apple:
“iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you’re visiting.”
What about advertisers, publishers and other online marketing entities?
Of course, the new Apple functionality is intended to protect the user from tracking and profiling, but at the same time it makes work very difficult for advertisers and other online advertising entities that check IP addresses to identify fraudsters. Because since you can’t know user’s real IP address, you also don’t know for sure if given traffic is legitimate. But according to Apple, there is nothing to worry about - just take their word for it. In several public statements, the company that provides claimed the service that Private Relay has „built-in fraud protection” and that „only valid Apple devices and accounts in good standing can use it”. Therefore, applications, websites and ad technology companies are to assume that the IP addresses listed by the Internet giant represent real people and devices. However, one thing has not been taken into account…
Has Private Relay contributed to the emergence of ad frauds on a massive scale?
While this is certainly not an intentional action by Apple, according to a study by Pixalate, this is exactly what happened. The scammers involved in online advertising are very inventive, and the list of potential IP addresses is made publicly available - so nothing easier than impersonating such an address and pretending to be a Private Relay user. Of course, this is a major simplification.
According to Pixalate, scammers are taking advantage of Apple’s trust and the complexity of technology by inserting IP addresses from the Private Relay list in specially modified code of their traffic, making it appear as if it came from this source and is free of any suspicion. According to Amit Shetty, vice president of product at Pixalate:
“Apple says you can trust that connections through Private Relay are secure and free of fraud, so scammers are just presenting their traffic as coming from Apple (…)”.
To identify this type of fraud, Pixalate used several techniques, including traffic origin analysis. Some of the conclusions were obvious - Private Relay is only available in Safari, but researchers found that IP addresses from Apple’s list were also bundled with Firefox or came from devices other than those offered by the Internet giant, which in theory should be impossible. In addition, since IP addresses are assigned by a second relay (other than Safarii itself), they should remain consistent throughout the entire browsing session, until the browser is closed. However, during part of the sessions Pixalate investigated, the IP addresses on the list provided by Apple changed multiple times. In addition, the researchers noticed that some of the traffic claiming to be coming from Private Relay was generated in data centers that are often used by fraudsters. Ian Trider, vice president of real-time bidding operations at Basis Technologies, who worked with Pixalate on this research, stated that:
„It makes a great deal of sense that spoofing those values would be a way to get inventory into ad tech platforms that would otherwise be thrown away for looking suspicious”.
BOT ring
Pixalate also discovered that IP addresses claiming to be Private Relay appeared in ad frauds called „BOT ring”. This type of fraud is where malicious BOTs posing as users only visit a few specific websites or apps. In this case, it was nine popular ad sites, including E! Online, ESPN, Major League Baseball, NBC News and Weather.com.
The findings of the study are terrifying!
As we read on the Gizmodo website, a study developed by Pixalate has proven that up to 90% of Internet traffic that looks like it comes from Private Relay is actually fake, and the losses caused by such ad frauds cost US advertisers around $65 million in 2022 alone!
How did Apple reacted?
Pixalate first reported the issue last August, but despite numerous requests for comment, Apple has not responded to the study itself or commented on its results.