• by Karlene Lukovitz  @KLmarketdaily, March 27, 2020

In January, I reported in Digital News Daily on a scheme in which fraudsters used the unwitting dating app Grindr to perpetrate a cross-device scheme that tricked advertisers into believing they were buying video ads on the CTV devices of equally unwitting Roku.

In that fraud — dubbed “DiCaprio” by ad-fraud detection firm Pixalate, after the name was spotted within the code — the many premium publishers that fell prey to app misrepresentation (aka “spoofing”) included CBS News, Fox, PBS, USA Today and TMZ.

Now, Pixalate is reporting on a new variation that it’s dubbed “Monarch.”

In this one, the alleged scam — in which Roku and premium publishers are again victims, not beneficiaries, stresses Pixalate — exploited over a dozen Roku apps in an apparent scheme that appears to have OTT/CTV advertisers including political ad groups, luxury automakers and CPGs.

Result: Likely millions in misdirected ad expenditures by brands that appear to include Chipotle, Geico, Hotels.com, Jaguar, Lexus, Pampers, Qatar Airways, Red Lobster, Sonic and Uber Eats.

And the scam, which appears to have started last October, is apparently still active.

This scheme is unique because “the spoofing appears to originate on actual OTT/CTV devices and apps — in this case, Roku devices and apps — rather than originating on a mobile device,” as was the case with DiCaprio, according to Pixalate.

As with the previous incident, Roku recommends that OTT ad buyers buy directly from Roku or publishers on its platform, and if buying from other sources — especially open exchanges — to use technology to verify the source of ad requests.  

In addition to spoofing, the new scheme involves attribution fraud, as defined by MRC guidelines. Pixalate’s analysis indicates that it may “share characteristics consistent with device farms.”  

CTV purchased programmatically is particularly vulnerable to ad scams because of its high CPMs. That means fraudsters can misrepresent lower-priced desktop or mobile units as higher-priced CTV units and pocket the difference. For instance, a mobile display unit with a $1 CPM could be misrepresented as a $25-CPM Roku unit.

The still-relatively new CTV platform is also vulnerable because it lacks a transparent supply chain and standardized measurement, points out Pixalate.

In the Monarch scenario, ad buyers believe they’re buying inventory in Roku apps that offer public-domain content like old TV shows (e.g., “The Andy Griffith Show”). Instead, the ads are placed in unattended or passive-experience apps on Roku TV devices, like screensavers or apps streaming a virtual fish tank to entertain pets.

The spoofing happened over at least a dozen apps and at least five major ad-serving platforms. “Monarch Ads, a subsidiary of Barons Media, is the inventory monetization platform used by all exploited apps identified by Pixalate,” and “the developer Aragon Creek purports to be the owner of all apps spoofed,” states Pixalate. “Aragon Creek and Monarch Ads appear to both be owned by the same individual.”

(That owner, Jim Larkin, told Adweek that while his two companies share Monarch ads as an ad server, Barons Media and Aragon Creek operate independently; he also said that he had suspended Aragon Creek while he investigates the matter.)

Pixalate stressed that its intention in sharing the results of its analysis is not to assign blame to any specific company. Rather, the company wrote, “it is our opinion that our readers may be interested in learning more about possible ties between Monarch Ads, Barons Media, and Aragon Creek.”

Readers interested in learning more about Pixalate’s analysis and conclusions, including graphs of impressions lost per day and money lost per day, should check out the company’s blog post.