Apple iCloud Private Relay Abused by $65M Ad Fraud

iCloud Private Relay


AppleInsider may earn affiliate commissions for purchases made through links on our site.

Apple's private iCloud relay poses problems for online advertisers, and a heavily exploited exploit could cost US companies over $65 million in 2022.

Apple introduces iCloud Private Relay as a way to protect users' online privacy by using sophisticated infrastructure to mask the user from being tracked. However, this same system can be a headache for some online advertisers who could lose money due to potential fraud.

Pixalate's Ad Fraud and Compliance Research Team states that there is a potential vulnerability in the system related to the IP addresses used by iCloud Private Relay. Dubbed “iP64” scammers, it is believed that iCloud Private Relay is trusted by the advertising industry, as well as other factors, to avoid being punished for ad fraud.

Unexpected problem for advertisers

ways, such as displaying them in inappropriate ways to get impressions or fake impressions or clicks. By doing so, fraudsters can earn revenue from “impressions” of ads, despite doing so in an illegal manner.

According to Pixalate, Apple's claims that iCloud Private Relay traffic is scam-free is what scammers are counting on. Because “websites that use IP addresses for fraud prevention and abuse prevention can be confident that connections over Private Relay have been verified by Apple at the account and device level,” advertisers add ICPR IP addresses to “lists permissions”.

Second, programmatic advertising uses a complex supply chain where bids go through multiple “hops”. Since there are many intermediaries involved, companies in the advertising supply chain do not have direct access to devices to verify “declared” IP addresses, so they operate on trust.

The scammers then use techniques such as datacenter spoofing to insert the Apple-published IP address of the iCPR into the ad request. As a result, advertising companies see the iCPR's IP address and “blindly trust the request,” says Pixalate.

Click fraud rates can be high, as Pixalate believes that while 21% of Safari's traffic supposedly comes from iCPR, more than 90% of that traffic turns out to be fake.

Growth rate of iP64 instances compared to growth of Safari traffic via iCPR [Pixalate]

In the examples provided by Pixalate, end-user IP addresses were advertised as iCPR, but were actually from T-Mobile or provided from Amazon AWS data centers. In some versions, the alleged iCPR traffic came from the Firefox browser, which is not possible in everyday use because iCPR is only available in Safari.

As to how the advertising industry can mitigate such fraud, the researchers believe ad tech companies need to better understand the ad supply chain, analyze sources, and work with ad sellers to reduce skewed traffic. .

A fix could cause collateral damage

However, Close the proposal includes adding iCPR IP addresses to “blacklists” to explicitly distrust traffic sources from iCPR.

“While this approach could result in real iCPR users being banned, the actual adoption numbers seem low enough that most companies will not see any significant impact (other than a reduction in IVT) in the near future.” Pixalat offers.

Leave a Reply

Your email address will not be published. Required fields are marked *