Ad Fraud related to CTV advertising called CycloneBot could cause losses to advertisers of $7.5 million per month!
source: own elaboration
Experts at DoubleVerify's Fraud Lab, a digital media measurement and analysis company, continuously monitor invalid traffic (IVT) and use artificial intelligence, machine learning, and manual review processes to identify new forms of fraud and prevent them in real time. While carrying out a series of activities to ensure clients protection in the constantly evolving digital environment, DoubleVerify specialists detected ad fraud related to CTV advertising.
Fraudsters spoofed continuous sessions to imitate real CTV users and mixed fake traffic with legitimate server-side ad insertion (SSAI) traffic, which made detecting this ad fraud particularly difficult. The mechanism used in this scam generated fake CTV traffic on various platforms. The scale of the phenomenon was gigantic - up to 250 million forged ad requests were sent and approximately 1.5 million devices were impersonated per day, and if estimates are relevant, fraudsters could obtain monthly revenues of up to $7.5 million (the average CPM in CTV = $20 was used to calculate this value).
The fraudsters behind this advertising scam forged device and app identifiers and additional parameters while using sophisticated new techniques to avoid detection. CycloneBot owes its name to its cyclical operation - one of the tactics used in this ad fraud involved spoofing longer CTV sessions for each device, which resembled the activity of real users and helped blend in with legitimate traffic related to server-side ad insertion (SSAI). This was unusual, because in the case of other already detected advertising frauds (such as LeoTerra), fraudsters generated the same number of artificial views from different devices - and then replaced it with new one - making it easier to notice the pattern of the program's behavior. For comparison, devices impersonated by CycloneBot generated four times more traffic, on average, than in case of other detected ad frauds related to CTV.
“CycloneBot represents a new level of sophistication in ad fraud. Its ability to mimic human behavior and evade detection has posed unprecedented challenges” said Mark Zagorski, Chief Executive Officer at DoubleVerify.
DoubleVerify and Roku Collaboration.
The fraud was revealed thanks to the cooperation of DoubleVerify and Roku. These two companies joined forces at the initial stage of detecting the fraud. Fraud Lab specialists used additional signals provided by Roku’s Advertising Watermark to detect CycloneBot, which helped identify it and limit its scale of operation. Roku’s Advertising Watermark is another layer of protection, primarily intended to prevent SSAI fraud. It uses technology that allows measuring signals on the Roku platform, thanks to which advertisers can verify the advertisement and be sure that their funds were spent on real views made by real users. Thanks to this, Roku was also able to assure advertisers using this channel that no incorrect ad impressions were sold or purchased from Roku as a result of this ad fraud.
Collaborative efforts have highlighted the continued need for comprehensive protection against increasingly sophisticated invalid traffic (IVT). This isn't the first time that DV's partnership with Roku has proven effective - earlier this year, the cooperation of these entities led to the detection of another ad fraud - SmokeScreen (in this case, the fraud was committed via fraudulent screensavers installed by users). It's also worth noting here that CycloneBot on multiple platforms included apps related to SmokeScreen.
"Roku’s Advertising Watermark is proving to be essential in the fight against ad fraud. It ensures transparency and validation, safeguarding advertisers while enhancing the TV streaming experience. With DoubleVerify, we're powering a more transparent and fraud-free advertising landscape." - said Louqman Parampath, Vice President, Product Management, Advertising at Roku.
Once CycloneBot was identified, the DV Fraud Lab implemented an initial round of mitigation measures, which immediately yielded satisfactory results. The following week, DV launched a second set of mitigation measures to make it even more difficult for ad fraudsters to operate. As of today, CycloneBot remains active, but its new variants are quickly detected by DoubleVerify and then disposed.
The CycloneBot reveal highlights the value of partnerships in securing the CTV advertising ecosystem. However, it should be remembered that this isn't the end of the story - fraudsters are constantly adapting their methods to the latest trends and improving their ability to properly mask their fraudulent practices.