How industry came together to take down biggest ever CTV botnet
Industry collaboration involving the likes of Roku and Google has succeeded in dismantling CTV’s most sophisticated threat to date. As part of The Drum’s deep dive into the future of TV, we catch up with Human, the company that uncovered the Pareto botnet, to get the inside story.
The Pareto attack involved ‘infecting’ around a million android mobile apps, which then pretended to be watching TV
The Pareto botnet was first discovered by the Satori Threat Intelligence and Research team at Human (formerly White Ops) in 2020 and named after the Pareto principle, the economic term that specifies that 80% of a situation’s impact is created by 20% of actors – an allusion to the scale of the issue.
The attack involved ‘infecting’ around a million android mobile apps, which then pretended to be watching TV streaming products such as Fire OS, tvOS, Roku OS and others.
The headline numbers reveal that the botnet aped over 6,000 CTV apps, and while Human’s director in APAC Ryan Murray tells The Drum that the cyber security company “doesn’t, as a rule, estimate dollar figures associated with operations like Pareto”, it’s not difficult to imagine that the material damage is significant.
Pareto accounted for an average of 650m bid requests every day, he says. “And given the higher CPMs that CTV advertising commands, it’s easy to envision substantial losses from the operation.”
The botnet was especially complex, says Murray. “The operators had dozens of apps across the Google and Roku app stores, each of which contained code that turned the device the app was on into one piece of a million-node botnet.
“The operators ran servers that sent commands to the devices in the botnet, telling them to pretend to be CTVs or smart TVs and to send confirmation signals to ad verification partners. In this way, they could cash in on the high CPMs of CTV advertising without ever showing an ad.”
With an operation as sophisticated as this, industry collaboration was necessary. Human recently announced a partnership with ad industry giants including Omnicom Media Group, The Trade Desk, Magnite, Google and Roku, titled The Human Collective. It was this collective that took the operation from detection to disruption, hinting at how the industry can come together to combat organized crime in marketing.
Satori’s team members worked over the course of a full year to reverse-engineer the botnet’s code, with its operators frequently changing tactics and adapting their approach in response to Human’s countermeasures – “which was a big part of why we needed to work closely with our partners in The Human Collective and with players like Google and Roku to disrupt their operations,” says Murray.
“Human was protecting clients from the impacts of Pareto from shortly after we uncovered it, but we couldn’t stop the operators by ourselves. It’s only through partnerships like ours with Google and Roku that we were able to short-circuit Pareto: both companies removed all Pareto-associated apps from their respective marketplaces and our partners in The Human Collective have taken measures on their own platforms to further protect their clients from the impacts.
“Partnerships like these are the way that we protect the advertising ecosystem and ensure that only humans engage with content.”
The conversation around ad fraud is changing, says Murray, from accepting it as the “cost of doing business” to something that can be tackled with a more proactive approach. This is only going to add to the momentum around greater collaboration in fighting ad fraud. There may always be fraud, and newer, higher value digital inventory like CTV will always be natural targets, but the cost of doing business in these spaces doesn’t have to be so great if the industry can work together.
From late April until early May, The Drum is taking a deep dive into what’s in store for the small screen as we launch our Future of TV hub.