Interview with Mikhail Venkov, a HUMAN Researcher

HUMAN’s Satori Threat Intelligence and Research Team is composed of data scientists whose goal is to find fraudsters’ signals amongst the noise of trillions of interactions every week. Their ability to determine whether a bid request or impression is real is only as good as their ability to  reduce the noise of bad data inputs. 

This is especially true with respect to CTV, where less information is available for validation, as Javascript isn’t an option for tagging. I recently sat down with Mikhail Venkov, HUMAN’s resident CTV expert, to dig into some of the threats we see on CTV and what good actors in our industry can do to collectively protect against the bad ones.

Q: What are the biggest threats to CTV that you are seeing presently? 

A: The most significant threats to CTV right now include SSAI spoofing and SSAI abuse, which, though they may sound like the same thing, describe different phenomena.

SSAI spoofing means the SSAI server in question isn’t real, and bad actors are using these fake servers to show “ads” to robots.

In contrast, SSAI abuse has the same end result, but genuine servers are unknowingly used for spoofing ad traffic.

While SSAI spoofing has some of the highest volume among threats to CTV, we also see bad actors performing on-device spoofing attacks, like using malicious apps for spoofing app ids or generating large amounts of traffic when a device is inactive (as seen in our PARETO investigation from 2022). 

Q: Can you share some notable examples of CTV fraud? 

A: As noted above, the PARETO investigation was a high-profile instance of CTV fraud. PARETO was a collection of Android apps spoofing more than 6,000 CTV apps to cash in on the higher CPMs CTV apps carry. The scheme accounted for more than 650 million bid requests a day, demonstrating the level of interest fraudsters have in the emerging CTV advertising marketplace.

Q: What, for you, distinguishes CTV fraud from fraud on other platforms? 

A: The rate of ad fraud on CTV is 4.7x higher than on desktop or mobile. One possible reason for this discrepancy may be that spoofing video ads is also 20-30x more profitable for fraudsters than static desktop or mobile ads.

My job is to find clues of fraud in an environment that is high in noise and low on signal, where it’s much easier for fraudsters to hide. It’s even more complex if the data we receive is inaccurate/mislabeled. I recognize the challenge publishers face to ensure correct labeling across media and intermediaries, especially so in CTV with so many different platforms, SSAI providers, and complex integrations. Data quality and accuracy, however, should be an investment that leads to an ROI in ad quality. 

Q: What can industry participants do to reduce the noise and improve signal quality?

A: However a CTV ad is served, the easiest way for verification partners like HUMAN to gain important signal from CTV is for the measurement beacon to fire on the device rather than on the SSAI server. This greatly increases the signals we can collect. Adoption of measurement on-device has improved significantly, but still only 60% of measurement tags fire on the device. 

If there is no way to do that, ensure that the server passes endpoint device IP through x-forwarded-for header and end-point UA through User Agent header. The Roku Watermark is another tool that prevents device spoofing by passing appropriate signals to verification partners.

Declared app ID should contain the app identifier of where the ad was served and in the format appropriate for the platform. For example, Roku app IDs should be numeric, not a bundle name as is commonly seen on Android devices (IAB guidelines). It also should not be a hardcoded value for several apps across a publisher.

Ensuring data consistency will improve protection across the whole ad ecosystem. This protects publishers from app spoofing and DSPs from transacting on spoofed inventory.

Another way to protect against spoofing is for publishers to participate in app-ads.txt. The standard supports declaring inventory partner domains thus enabling verification of all CTV inventory.