Apple iCloud’s Private Relay Enables $65M Ad Fraud Scam: Study

Robots love ads too, you know.
picture: cjmacer (Shutterstock)

As you read this, there are a bunch of bots pretending to be Apple users surfing the web and watching ads, according to new research shared exclusively with Gizmodo. The ad fraud scheme is weaponizing a privacy feature called Private Relay, funneling huge amounts of traffic to show ads to robots and costing advertisers tens of millions of dollars in the process, researchers’ tests have found. Apple promises that the tool has “built-in fraud detection” and ad platforms can trust it, But researchers say the fraud has gotten worse since they reported it to the company a few months ago.

New reports suggest that criminals are exploiting Apple’s Private Relay tool, a feature available on Apple devices for users who subscribe to iCloud+. Turn it on, and Private Relay will hide your web browsing and assign you a dummy IP address to help companies stop tracking you. Author of Pixalate, ad technology company Study, published Wednesday, says the problem will cost U.S. advertisers an estimated $65 million in 2022 alone. Studies show that 90% of web traffic is look-alike It is actually fraudulent coming from private relay.

In general, the problem described in the report does not directly affect Apple users. Instead, ad fraudsters are pretending to be among them, the researchers said. According to Pixelate, fraudsters are taking advantage of misplaced trust in Apple and the complexity of ad technology, slipping bad traffic under the noses of publishers and tech companies.

“Apple says you can trust that connections through Private Relay are secure and fraud-free, so scammers are misrepresenting their traffic as coming from Apple,” said Amit Shetty, vice president of product at Pixelate. “It looks like they’re just hoping people will put the traffic on the ‘whitelist’ because it’s supposed to be safe.”

Ad fraud is widespread, but the study found that bots tend to cluster around groups of domains, and nine websites that display ads are particularly affected, including the websites of E! Online, ESPN, Major League Baseball, NBC News and Weather.com.

Pixelate first reported the problem in August, but the firm said the volume of fraud is accelerating. The problem is so bad that Shetty has advised ad tech companies and websites to consider blocking private relay traffic entirely until a better solution is found.

The results speak to a broader problem within digital advertising.

“The programmatic advertising system is so complex that no one understands it,” says Bob Hoffman, a former ad agency executive and best-selling author of ADSCAM. (Hoffman was not involved in Pixelate’s research.) “At least 15% of all money disappears and no one knows where it goes.

Apple did not respond to multiple requests for comment.


Every time you see an ad online, it’s usually the result of an app or a website that’s partnered with a number of ad tech companies. For each ad view, the website or app developer gets paid, and so do all the technology vendors involved. That same long line of partnerships creates a problem, though: Each ad display typically involves a byzantine chain of companies and systems, leaving wide berth for malpractice.

More ad views means more money. So sometimes a website or an ad tech company pumps up their numbers with fake traffic. Other players in the chain think real people are seeing the ads, but the ads are actually being shown to robots. It can be hard to detect – and companies have a perverse incentive to look the other way because they still get paid. If no one gets caught, the only victim is the advertiser throwing money away. Voila, ad fraud.

“As an advertiser moves away from buying directly from a website or publisher, deeper into the long tail of the advertiser programmatic ecosystem, the more likely they are to face threats.Hoffman said.

Now that you’re an ad fraud expert, you should know about Apple’s iCloud Private Relay feature, or iCPR. It cloaks your web browsing so even your internet service provider and cell phone company can’t see what you’re doing online. Part of that process is to assign you a new IP address from a list of possible IPs that are supposed to be set aside for this purpose. Apple published that list Online.

This also creates a problem. Websites and ad tech companies use IP addresses (among other techniques) to detect fraudulent web traffic. iCPR means you can’t see a user’s real IP, so it’s hard to tell if they’re legit. But Apple reassures the ad tech industry that there is nothing to worry about.

Apple has promised in several public statements that apps, websites and ad tech companies can trust that ICPR addresses represent real people. The company says Private Relay has “built-in fraud protection” and is “designed to allow only legitimate Apple devices and accounts in good standing to use the service.” Apple goes further, declaring that “websites that use IP addresses to implement anti-fraud and anti-abuse measures can trust that connections through Private Relay have been validated by Apple at the account and device level.”

According to research this is not even remotely true.

Pixalate says ad fraudsters are spoofing private relay IP addresses by inserting a complex chain of companies and technologies into ad systems. Studies have shown that 90% of web traffic that looks like it’s coming from private relays is actually fake, which could mean more than 100 million robots are roaming the web, seeing a lot of fake ads. Safari reportedly has one billion users. According to Pixalate, 21% of traffic online presents itself as coming from the Safari browser using ICPR, and that number is growing.

Pixelate uses several techniques to detect fraud, including analyzing where traffic originates. Private Relay is only available in the Safari browser, but they have monitored iCPR IP addresses connected to Firefox, or non-Apple devices, that cannot run Safari. It should be impossible. Pixelate also looked at IP addresses originating from data centers, which ad fraudsters often route their traffic to to hide their activity. (For all the ad fraud experts out there, Pixelate says it accounts for other features that can interfere with analytics, including an Apple feature called Hide My IP.)

ICPR addresses assumed to come from data centers or the wrong browser carry all of its key identifiers fraud, said Rocky Moss, CEO of Dipsy, an ad fraud detection firm, who was not involved in the research.

“It’s hard to think of another reason why it might be presenting a private relay IP address,” Moss said. Ad tech companies “can treat this array of Apple IP addresses as trusted, even though the header values ​​are easily spoofed.”

Pixalate also identified ICPR addresses known as “bot rings” where clusters of users exclusively visit a few websites or apps and go nowhere else, a red flag of unauthentic behavior.

Apple says that ICPR IP addresses are supposed to remain consistent throughout a browsing session. In other words, your IP address stays the same until you close the browser and do nothing else. But during more than half of browsing sessions, the Pixelate researchers observed, iCPR IP address has changed multiple times. In ad fraud operations, IP addresses are often set to change automatically, making it difficult to track unauthenticated users.

Researchers say Apple’s trusted brand of security and privacy allows criminals to fly under the radar. They believe fraudsters operate “with the expectation that iCPR IP ranges are automatically marked as safe by ad tech companies, given Apple’s trust in the brand and repeated claims of iCPR security.”

While there’s no indication Apple is involved in the scheme, Pixalate researchers say its statements are entirely free of any warning language about hawking private relays. iPhone maker Encouraging blind faith in private relays, suggests Tim Cook and company When digital advertising doesn’t take into account the labyrinthine and fraud-prone architecture rotating Description of the system, researchers said

The problem is partly due to the nature of ad technology. “One in 10,000 people can actually go into forensic analysis of what’s going on under the hood of the online advertising industry,” Hoffman said. “So faith is essential.”

Traffic moves from company to company through a single ad bid before an ad is served, and most of the players involved never interact with the user’s actual device, making traffic verification a difficult, often time-consuming process.

“It makes a lot of sense that circumventing these standards would be a way to get inventory on ad tech platforms that would otherwise be discarded if it looked questionable,” said Ian Trider, vice president of real-time bidding operations at Basis Technologies, which collaborated on the research with Pixalate.

Gizmodo reached out to several websites that researchers say have been most affected by the Private Relay scam. ESPN declined to comment. NBC, Major League Baseball, and E! Gizmodo did not answer the question.

“Fraudulent traffic continues to be an industry-wide problem,” said Melissa Medori, spokeswoman for IBM, owner of Weather.com. The Weather.com team closely monitors Invalid Traffic (IVT) and continues to work diligently with our technology partners to help block or mitigate fraudulent traffic within our own programmatic advertising, as well as find solutions to prevent it.”

Ad fraud is a huge problem, but no one knows how big it is. Talk to 10 ad tech people and you’ll get 10 different answers During this story I heard that fraud accounts for anywhere from 5% to 40% of all money spent on online advertising. (One particularly enthusiastic ad fraud expert told me the number was more like 90%.) That’s a lot of money. Advertisers will spend more than $602 billion on digital advertising this year, according to Statistics.