White Ops specialists found , they said, the world’s largest fraudulent advertising operation using smart TVs.

During the operation, called ICEBUCKET, using software bots, cybercriminals make advertisers think that real people are watching ads they pay for broadcast on a smart TV. The amount of damage caused to advertisers has not yet been established. However, according to the researchers, at the peak of the operation with the help of bots, scammers could imitate more than 2 million views in 30 countries of the world. About 99% of fake IP addresses are located in the USA.

At some point in January, when White Ops researchers analyzed the traffic of smart TVs, 28% (1.9 billion requests per day) came from ICEBUCKET. Currently, the operation is still ongoing, but on a smaller scale compared with January.

ICEBUCKET operators have been able to hide their bots for so long thanks to a technique known as server-side ad insertion (SSAI). This method involves the introduction of advertising in broadcast video content. Unlike client-side advertising insertion, when advertising is embedded directly in the device on which video content is being watched, SSAI assumes that the server implements advertising in the video stream.

To send advertising to fake and fake IP addresses, ICEBUCKET operators used about 1.7 thousand intermediate SSAI servers. Attackers also copied some of the standards used to identify SSAI traffic to make fake traffic seem more realistic.

ICEBUCKET operators have used virtual private servers in various data centers in nine countries. According to the researchers, the attackers either paid for access to these servers or hacked them using weak protection.