Server-side ad insertion (SSAI) is a special type of ad serving whereby ads are sewn directly into the content they’re played alongside. It’s particularly common in Connected TV (CTV) since it helps create a smooth transition between content and ads, preventing loading screens and improving speed. This works by having a SSAI server, which is responsible for the stitching, sit between a device and the ad. Since the ad isn’t served directly on the device, the SSAI server is often responsible for passing on information about impressions and for handling reporting.
Unfortunately, fraud follows the money and with the popularity of CTV in particular, SSAI has been an ongoing target for bad actors – causing SSAI attacks. These attacks, known as SSAI fraud schemes, typically involve the fraudster spoofing legitimate devices and apps that are not harmful on their own. These schemes take place in three phases. First, the fraudsters gather the details of legitimate users, such as the IP addresses or app bundle IDs. Next, they copy these details to mask their activity from being detected. Finally, they use the spoofed details of legitimate users to send fraudulent ad requests into the ecosystem.
It’s an ongoing, but achievable battle, against SSAI fraud schemes. In fact, in 2020 alone our fraud lab uncovered more than 12 SSAI schemes. Schemes like “ParrotTerra”, which our fraud lab detected last year, worked by generating fake CTV inventory across countless apps, IPs and devices. ParrotTerra dwarfed other SSAI schemes as before being detected and blocked, it scaled as many as 3.7 million device signatures each day and spoofed over 35% more apps than LeoTerra, which had previously been the largest SSAI scheme.
To avoid detection, fraudsters are executing increasingly sophisticated and larger schemes – and this won’t stop anytime soon. Just earlier this year, our lab identified the first-ever SSAI scheme known to hijack real CTV device sessions, marking an important evolution in CTV fraud. “SneakyTerra” operated by obtaining impression trackers from multiple ads through spoofed SSAI calls and stood to cost unprotected advertisers more than $5 million per month. Ultimately, as fraudsters are identified and caught, they will continue to use new strategies with the aim to go undetected, putting unprotected advertisers at risk.
Against this evolving threat, brands can protect themselves by utilising real-time protection that is using technology to stay one-step ahead of the bad actors. In the case of SneakyTerra, our technology was able to see spoofed traffic generated via rogue SSAI servers (before the fraudsters execute their impression on a real CTV device) and counterfeit SSAI servers could be blocked. Overall, it’s worth remembering that we’ve seen a 30% global decrease in global fraud/SIVT violations rates year on year. That’s testament to work that teams like those at our fraud lab, which analyses over two billion impressions daily, and others in the industry are doing to protect brands.
