The fraud Lab of digital media measurement, data and analytics firm DoubleVerify (DV) has discovered a new variant of the LeoTerra advertising fraud scheme designed to falsify connected TV (CTV) traffic.
DV says connected TV (CTV) advertisers in the US spent $14.44 billion last year on CTV and, at its current pace, that number is expected to grow to $27.5 billion by the end of 2025. As revenue opportunities in CTV grow rapidly, so does the opportunity for fraud
LeoTerra is a server-side ad insertion (SSAI) scheme that is part of an extensive operation of SSAI schemes known as OctoBot. To spoof large numbers of devices, fraudsters often use online device information sources, where they download lists of devices and incorporate the device information inside their falsified ad requests. This makes it appear as if their fraudulent traffic is coming from millions of different devices.
The DV Labs report shows how the new LeoTerra variant spoofs Internet of Things (IoT) devices, including smart refrigerators and smart watches, in an attempt to hide fraudulent behaviour. DV estimates that LeoTerra’s latest variant has cost unprotected advertisers up to $10 million this year alone.
In some cases, online device lists also include unique or invalid device information. The fraudsters behind LeoTerra downloaded an entire list of CTV and mobile devices from one of the popular online device information providers. This list, however, included more than just CTV and mobile devices – it also included IoT devices. Through the unique and invalid devices, DV accurately identified the fraudsters’ source for extracting their spoofed device data, catching the new variant and continuing to block its impact for customers.
DV added that as the industry has become more aware of CTV fraud’s scale and impact, fraudsters are evolving to evade detection, with more schemes mutating or changing their initial approach. To date this year, for example, DV’s Fraud Lab has caught and stopped six new SSAI variants aimed at falsifying CTV traffic.
“This latest iteration of LeoTerra shows how fraudsters are always looking for new ways to avoid detection,” said Roy Rosenfeld, head of DV’s Fraud Lab. “It also highlights how easily they spoof millions of devices by simply rotating through device lists that are free and easily accessible online. LeoTerra is continuously shifting patterns in its attempts to evade detection. In the first half of 2022 alone, DV identified and flagged three new variants of the LeoTerra scheme. These three variants, including the one impersonating IoT devices, have spoofed more than 92 million devices during H1 and up to 3.5 million device signatures each day.”
LeoTerra is a server-side ad insertion (SSAI) scheme that is part of an extensive operation of SSAI schemes known as OctoBot. To spoof large numbers of devices, fraudsters often use online device information sources, where they download lists of devices and incorporate the device information inside their falsified ad requests. This makes it appear as if their fraudulent traffic is coming from millions of different devices.
The DV Labs report shows how the new LeoTerra variant spoofs Internet of Things (IoT) devices, including smart refrigerators and smart watches, in an attempt to hide fraudulent behaviour. DV estimates that LeoTerra’s latest variant has cost unprotected advertisers up to $10 million this year alone.
In some cases, online device lists also include unique or invalid device information. The fraudsters behind LeoTerra downloaded an entire list of CTV and mobile devices from one of the popular online device information providers. This list, however, included more than just CTV and mobile devices – it also included IoT devices. Through the unique and invalid devices, DV accurately identified the fraudsters’ source for extracting their spoofed device data, catching the new variant and continuing to block its impact for customers.
DV added that as the industry has become more aware of CTV fraud’s scale and impact, fraudsters are evolving to evade detection, with more schemes mutating or changing their initial approach. To date this year, for example, DV’s Fraud Lab has caught and stopped six new SSAI variants aimed at falsifying CTV traffic.
“This latest iteration of LeoTerra shows how fraudsters are always looking for new ways to avoid detection,” said Roy Rosenfeld, head of DV’s Fraud Lab. “It also highlights how easily they spoof millions of devices by simply rotating through device lists that are free and easily accessible online. LeoTerra is continuously shifting patterns in its attempts to evade detection. In the first half of 2022 alone, DV identified and flagged three new variants of the LeoTerra scheme. These three variants, including the one impersonating IoT devices, have spoofed more than 92 million devices during H1 and up to 3.5 million device signatures each day.”
