Apple's iCloud Private Relay being abused in $65M ad fraud

Posted:
in iOS edited November 2022
Apple's iCloud Private Relay is said to be causing problems for online advertisers, with an actively used exploit potentially costing U.S. firms over $65 million in 2022.

iCloud Private Relay
iCloud Private Relay


Apple poses iCloud Private Relay as a way to protect users' privacy on the Internet, using a complex infrastructure to mask the user from tracking. However, that same system may be a headache for some online advertisers, who may have lost money due to potential fraud.

The Ad Fraud and Compliance research team of Pixalate claims there is a potential exploit in the system that relates to IP addresses used by iCloud Private Relay. Dubbed "iP64," it is believed that ad fraudsters are taking advantage of the trust in iCloud Private Relay by the ad industry, as well as other factors, to get away with ad fraud.

An unexpected problem for advertisers

Ad fraud consists of ways to serve ads in underhanded ways, such as displaying them in non-compliant ways to gain impressions, or to fake impressions or clicks. By doing so, the fraudsters can earn revenue from "displaying" ads, despite not doing it legitimately.

According to Pixalate, Apple's assertions that iCloud Private Relay traffic is safe from fraud is one thing fraudsters count on. Since "Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple," advertisers add the ICPR iP addresses to "allow lists."

Secondly, programmatic advertising uses a complex supply chain where bids go through multiple "hops." Since there's a lot of intermediaries involved, companies in the ad supply chain don't have direct access to devices to verify "declared" IP addresses, so therefore work on trust.

Fraudsters then use techniques such as spoofing data centers to insert an Apple-published iCPR IP address into an ad request. The result is that ad-serving firms see the iCPR IP address and "blindly trust the request," says Pixalate.

The level of click fraud could be high, with Pixalate believing that while 21% of Safari traffic claims to come through iCPR, more than 90% of that traffic appears to be spoofed.

Growth rate of iP64 instances against growth of Safari traffic through iCPR [Pixalate]
Growth rate of iP64 instances against growth of Safari traffic through iCPR [Pixalate]


In examples offered by Pixalate, end user IP addresses were declared to be an iCPR address, but were really from T-Mobile, or provided from Amazon AWS data centers. In some versions, purported iCPR traffic was coming from the Firefox browser, which is an impossibility in daily use since iCPR is only available on Safari.

On how the ad industry can mitigate such fraud, the researchers believe that ad tech firms should have a better understanding of the ad supply chain, to analyze the sources, and to work with ad sellers to reduce misrepresented traffic.

Fix could have collateral damage

However, a near-term proposal involves adding iCPR IP addresses to "block lists," to explicitly not trust traffic sources from iCPR.

"While this approach may result in blocking real iCPR users - true adoption numbers appear to be low enough that, in the near term, most companies would not see any material impact (other than IVT reductions)," Pixalate offers.

Read on AppleInsider

Comments

  • Reply 1 of 9
    mike1mike1 Posts: 3,435member
    There's not a violin small enough to express how little i care about advertisers and their revenue.
    JP234darkvaderrob53bluefire1lam92103FileMakerFellerwilliamlondonwatto_cobra
  • Reply 2 of 9
    darkvaderdarkvader Posts: 1,146member
    mike1 said:
    There's not a violin small enough to express how little i care about advertisers and their revenue.

    I care.  I want them all to crash and burn.

    I've got multiple layers of tools to keep their intrusive crap and tracking from getting to my systems.

    The worst part is that all of that was never necessary.  It used to be that ads were mostly nonintrusive.  Sure, they took up space on the page, but they just sat there, didn't do anything, and the only "metric" the advertiser got back was "how many copies of this newspaper or magazine were distributed".  TV ads were more annoying, but all advertisers could do was broadcast them, they had no idea who was watching.

    And the world didn't end.

    We need laws prohibiting ads from tracking people.  Until then, I fully approve of all schemes to cost advertisers LOTS of money on fake eyeballs.
    DAalsethrob53bloggerbloglam92103FileMakerFeller
  • Reply 3 of 9
    BigBWSRBigBWSR Posts: 10unconfirmed, member
    I too have little sympathy for ad companies and this issue.

    Apple never said it was fraud resistant for businesses, just end users. 

    And this isn’t really a private relay issue, the same thing could be done with vpn endpoints also.  The only real difference is that the private relay endpoints are Apple devices only, so advertisers can do more targeted ads to those IPs, hence the whining when it’s not just Apple devices. 
    edited November 2022 FileMakerFellerwatto_cobra
  • Reply 4 of 9
    mike1 said:
    There's not a violin small enough to express how little i care about advertisers and their revenue.
    Hahaha! I agree but ads do pay for things, however they’ve gone too far by pretending they’re not ads, and by tracking your activities and collecting your data.
    williamlondonwatto_cobra
  • Reply 5 of 9
    Did you run Pixalate's post though an AI rewriter to get your post written? Because yours is barely intelligible. Thankfully you linked to the source, Pixalate, so readers could understand. Please put more effort into writing clearly!
  • Reply 6 of 9
    chadbagchadbag Posts: 2,025member
    Is there a TL;DR ?  I’ll go read the direct pixelate post but it’s not clear to me what is happening. 
    watto_cobra
  • Reply 7 of 9
    Wow! It's almost as though there's a downside to "programmatic advertising" - who could possible have predicted that???? :wink:
    watto_cobra
  • Reply 8 of 9
    JP234 said:
    Careful what you wish for. The fewer ads you see, the more the online services you use are going to charge you. That, friends, is called a FACT.
    You think you don't pay for those things today already? Advertising works, companies spend billions on advertising because it works. Just because you see ads and things "seem" free doesn't mean they are, in fact those ads are the best at getting you to spend money on things you neither need nor want, and people think they are clever enough to avoid their impact.
    watto_cobra
Sign In or Register to comment.