DoubleVerify, a verification and ad fraud prevention company, says it has uncovered a new form of connected TV (CTV) ad fraud called ‘legitimacy cloaking’. The technique sees fraudsters use public domain TV and film content to get verified by the major CTV platforms, in order to commit fraud through third-party sellers. DoubleVerify says legitimacy cloaking has been used by hundreds of apps in the Roku ecosystem over the past 12 months, and by many more on other major CTV platforms such as Apple TV and Amazon Fire.
Legitimacy cloaking has three major steps.
Firstly, fraudsters use public domain video content to create CTV apps. Public domain content, where copyright protections have expired, can be freely altered, shared, copied, and republished. It is legitimate content, but since it’s so old that its copyright has expired, it is unlikely to be particularly popular or desirable. DoubleVerify said the content used by fraudulent apps it uncovered tended to be silent films, old westerns, and vintage cartoons.
Fraudsters can easily find freelance developers who can repackage this content into a CTV app for a few dollars, according to DoubleVerify. Or in some cases they will use tools provided by CTV platforms which are designed to let legitimate publishers easily create their own CTV apps.
Next, fraudsters submit these apps to be distributed on the major CTV platforms’ stores (DV give the examples of Roku, Amazon Fire and Apple TV). The public domain content is usually enough to make the app appear legitimate to the platforms.
Once an app is available on the major platforms, ad tech partners will then tend to trust them too. Apps which have been accepted by Roku, Amazon Fire TV and Apple TV face less rigorous checks when they create seller accounts with third-party monetisation platforms. These third-party monetisation platforms give the fraudsters more control over how they sell impressions, and offer lower protections against fraud.
The final step is to exploit vulnerabilities in server-side ad insertion (SSAI), a common method for serving ads in CTV environments, to generate fake impressions. With SSAI, information about an impression opportunity is usually self-declared, meaning fraudsters can send across entirely false signals to buyers.
Fraudsters may set up fake SSAI servers, or use existing ones, to completely falsify all the information about an impression, thereby generating fake traffic. Or they can use alternative methods, such as reselling display impressions as video impressions, or manipulating the information they send back to the buyer to show the traffic originating from mobile devices actually came from CTV devices.
DoubleVerify says that there are ways to detect and avoid these schemes. The IP address of an SSAI server can be one clue. DoubleVerify says it works to distinguish between IP addresses of legitimate SSAI servers, and those of fraudulent servers.
Perhaps unsurprisingly, DoubleVerify says the problem stems from the lack of third-party measurement on CTV platforms. On Roku for example, DV cannot currently measure impressions sold directly through Roku. So while it may seem unlikely that what one might assume is an seemingly unpopular app is generating thousands of impressions each day, it’s hard to verify that this traffic is fraudulent without seeing Roku’s own data.
DoubleVerify also called for progress on industry standards to help eliminate fraud. This echoed calls from fellow fraud prevention company White Ops earlier this year when it covered another CTV fraud scheme called ICEBUCKET. White Ops said that standards like app-ads.txt can help prevent CTV fraud, but adoption is currently low, preventing it from really being effective.