Ad Fraudsters Exploited Grindr In A Scheme Targeting Roku Apps
The scheme, dubbed “DiCaprio,” shows how common ad fraud has become in the connected TV industry.
In just the past three weeks, Grindr, the popular gay dating app, has been slammed by the Norwegian Consumer Council for exposing users’ personal information, suspended from Twitter’s ad network as a result of that investigation, and alleged to have been the way a Michigan hairstylist met the man who brutally murdered him.
Adding to those concerns is new research showing that the company’s Android app was exploited by ad fraudsters in a scheme that stole money from advertisers — and drained the phone batteries and depleted the data plans of Grindr’s users.
Amin Bandeali, CTO of Pixalate, the Palo Alto ad fraud detection firm that identified the scam, said Grindr was likely targeted because of its large user base.
“If I’m a fraudster, I would love to target an app that has a lot of user engagement. These dating apps — users are on them constantly,” he told BuzzFeed News.
Along with Grindr, the scheme exploited Roku apps and devices. Brands are projected to spend $7 billion this year to show ads on connected devices, like Roku, and over-the-top media services, which are streaming platforms like Hulu. Yet close to a quarter of that money will be stolen by fraudsters, according to data from Pixalate.
“This scheme is just one example in the universe of [over-the-top] fraud,” Pixalate CEO Jalal Nasir told BuzzFeed News. Pixalate dubbed the scheme “DiCaprio” after seeing that word used in a file containing some of the malicious code.
“DiCaprio is one of the most sophisticated OTT ad fraud schemes we have seen to date,” Nasir said.
A Grindr spokesperson told BuzzFeed News the company wasn’t aware of the scheme prior to being contacted for this story but was “taking steps to address it and are continually working to implement new strategies to protect our users.”
“Grindr is committed to creating a safe and secure environment to help our community connect and thrive. Any fraudulent activity is a clear violation of our and conditions and something we take very seriously,” the spokesperson said.
Tricia Mifsud, Roku’s vice president of communications, said brands need to take steps to protect themselves when they purchase OTT ads using open exchanges rather than buying direct from publishers or platforms.
“We recommend that OTT ad buyers buy directly from Roku or publishers on the platform. When buying from other sources and especially open exchanges, the buyer may be better served to use technology that can help with verifying the source of the ad requests,” she said.
Here’s how the scheme worked: A normal banner ad was bought on Grindr’s Android app. The fraudsters then attached code that disguised the Grindr banner ad to look like a Roku video ad slot. This fake ad space was sold on programmatic advertising exchanges, the online marketplaces where digital ads are bought and sold. Making one ad unit look like another is called spoofing, and it has been a problem for years. This attack is similar to one revealed by BuzzFeed News and detection firm Protected Media last year. In both cases, cheap banner ads were used to resell more expensive video ads.
Nasir said this kind of video ad can cost as much as 25 times that of a mobile banner ad: “So that’s very lucrative for someone to make quick money — and a lot of it.”
These video ads did not appear in the Roku app and were never seen by humans. But the ad tech middleware vendors who facilitated the ad placement still took their cuts.
One such company is S&W Media, an Israeli firm that operates an ad network that places ads in Roku apps and on other connected TV platforms. The company also operates roughly 20 of its own Roku content channels under the SnowTV brand. Pixalate’s research, reporting by BuzzFeed News, and data from a company used by the fraudsters to deliver the video ads suggested multiple connections between S&W Media and the scheme. As a result, at least one partner has ended its relationship with S&W, calling its activity “highly suspect.”
CEO Nadav Slutzky denies involvement, telling BuzzFeed News this type of spoofing has occurred on his ad platform in the past and that he has refunded advertisers when fraud was detected.
“In August 2019, one of our advertisers brought to our attention that some of the traffic we were sending him was suspected of being fake. We immediately worked to locate the traffic sources and stopped working with this supply, in addition to not paying them for this traffic,” he said. “We do everything in our power to battle fraudulent traffic including using third-party verifications tools. We as a mediator have suffered the most from this kind of activity and will do anything in our power to stop it, including developing inside tools to fight this.”
The code that placed the invalid video ads used S&W’s ad network, called AdservME, to track the ads being sold and included instruction to display an ad for a jewelry business owned in part by Slutzky if a paid ad were not purchased to fill the slot.
Slutzky said the section of code referencing AdservME, and the use of an Austaras banner, was standard code used by his company and was copied by the fraudsters.
Another section of malicious code identified by Pixalate included a list of Roku apps owned and operated by S&W’s SnowTV. These apps would have been spoofed as part of the scheme, and any video ads placed as a result would have earned S&W money as both the ad network selling the inventory and the publisher of the app.
SnowTV says on its website that it uses Moat and Pixalate to protect its apps against invalid traffic. Pixalate told BuzzFeed News that’s false and said it stopped working with S&W in 2017. Slutzky subsequently acknowledged that his company is not currently working directly with Moat, either.
Slutzky said that the DiCaprio fraudsters, whom he could not identify, chose to spoof his SnowTV apps because they appealed to advertisers.
He said his company “spent countless hours building our apps and marketing them to get them to a place we are proud of. The fact that they are whitelisted by many advertisers made them a target for whoever wrote the code you showed me.”
The malicious code was hosted on alefcdn.com, a site that was taken offline within minutes of BuzzFeed News emailing Slutzky, Grindr, and SpringServe, a company exploited by the scheme. Slutzky said his company does not own alefcdn.com and that the code is not his.
“This code is not our code — it’s the first time I’m seeing this code,” he said. He said alefcdn.com was offline when he tried to visit it.
The fraudsters exploited SpringServe, an American video ad platform, to serve the spoofed traffic. After being contacted by BuzzFeed News, SpringServe conducted an internal investigation and said the account used to place some of the invalid video ads belonged to S&W Media.
"Upon receipt of the recent information provided by BuzzFeed and our own internal investigation, SpringServe has concluded that the activity in question was highly suspect and has immediately suspended this company from utilizing its platform,” SpringServe CTO David Buonasera told BuzzFeed News. “This issue underscores the need for greater industry communication and cooperation to prevent invalid inventory."
Slutzky said any suspicious activity on its SpringServe account was the result of someone misusing his company’s service.
“We serve billions of requests a day on our ad servers. It’s unavoidable that as a middleman a portion of this will be fraudulent. We do everything in our power to avoid this and stop this,” he said.
Nasir, Pixalate’s CEO, said the DiCaprio scheme highlights how a lack of standards and measurements for ads on internet-connected TVs and over-the-top services has let bad actors run wild.
“This makes it the right breeding ground for a fraudster to come and exploit, even with minimal effort,” he said.
Added description of how the scheme exploited the SpringServe platform.