About $15m in advertising booked to appear on millions of smart TVs was never seen by anyone, says Oracle

Oracle on Thursday said it has uncovered the largest fraud campaign yet targeting businesses booking advertising in video streams showing on so-called "smart" televisions.

The campaign, dubbed StreamScam by Oracle, supposedly exploited Server-Side Ad Insertion (SSAI) technology, used to inject ads into video streams, by generating records that ads had been displayed (ad impressions) without actually presenting any ads to anyone. Who exactly was behind this fraud is not yet clear, and still said to be under investigation: it could be crooks paid to artificially inflate ad impressions, or could be someone involved in brokering the ads to ensure ad impression targets are met one way or another. Due to the complexities of digital advertising, it can be hard to determine.

Whoever they are, in just four months the scammers are estimated to have conjured up almost $15m worth of fraudulent billings to advertisers without providing anything in return, based on a cost-per-thousand impressions (CPM) of $20, Oracle told The Register. We understand the final amount billed may be reduced upon audit.

StreamScam, Oracle claims, spoofed more than 28.8 million valid IP addresses associated with US households, affecting 3,600 apps and 3,400 connective TV devices, which include products like Apple TV, Amazon Fire TV, Google TV, Roku, and Samsung Tizen Smart TV. That's an order of magnitude more than the largest previously detected connected TV ad fraud campaign, ICEBUCKET, spotted in April, which involved two million spoofed household IP addresses.

Oracle's cloud business operates an analytics service called Moat that companies use to measure digital marketing. The enterprise database giant said that while making such measurements, it discovered that those behind the scam had created a server network that sends ad impression events to its Moat service and to advertisers without sending ads or video content to anyone.

"They forged household IP addresses, app IDs, and device IDs in the measurement events to make it appear that ads had played in those environments when in fact they did not," Oracle said in a blog post.

Ad-scamming, login-stealing Windows malware is hitting Chrome, Edge, Firefox, Yandex browsers, says Microsoft

READ MORE

Mark Kopera, head of product for Oracle Moat, told us the identity of the perpetrators is unknown. "We’re actively working with our industry partners to further research and attempt to determine the source of fraudulent activity," Kopera told The Reg.

Kopera expects connected TV ad fraud to grow. "Server-Side Ad Insertion (SSAI)-based fraud is a complicated challenge, as StreamScam demonstrates, and we believe it will grow quickly until our industry adjusts its defenses to address it," he said. "We plan to work closely with our peers across the industry to better understand this threat and the most effective tools to block it."

Last month, Cheq, an anti-fraud biz, published a report claiming that losses from digital advertising fraud ($35 billion) are now greater than global annual credit card fraud ($27 billion), despite the fact that the $333bn digital ad market is a tenth the size of the $3.32tr credit card market.

Cheq estimates that about 10 per cent of all digital advertising revenue is lost to fraud. Compare that to the 0.008 per cent rate of credit card fraud.

For certain market segments like paid programmatic advertising, some have argued that roughly half of the ad impressions are fake. Caveat emptor. ®