Researcher: Apple’s pseudo-VPN abused for ad fraud

Allegedly, Apple’s private relay service can be used for so-called click fraud. The damage potential is in the high double-digit million range.

Apple CEO Tim Cook at a presentation on privacy protection. (Image: Apple / Screenshot YouTube)

Apple’s iCloud Private Relay pseudo-VPN service can be used for ad fraud, according to a new research report from a security firm. There’s an estimated potential abuse potential of $65 million in 2022 alone, according to the company Pixalate in a new paper. Attackers used Private Relay as a kind of shield from detection.

Connection should obfuscate IP

The service is part of Apple’s iCloud+ offering and allows server requests to be redirected via two intermediate steps in order to disguise the outgoing IP address. According to its own statements, Apple itself cannot read where a user is surfing too. Private Relay is part of iOS, iPadOS, and macOS and could even become standard on Apple devices in the future. It is part of Apple’s privacy initiative, which also includes tracking protection measures in the Safari browser and is intended to protect Apple Mail users from surveillance.

According to Pixalate, however, Private Relay also offers a target for so-called click fraud. Paid advertisements are often clicked on by robots. This either brings additional (unearned) money to the publisher on whose website the ad is running – or attackers try to harm a company that has to pay for such useless advertisements that no real user sees. The resulting damage is said to be in the billions. Companies, therefore, try to detect click fraud as early as possible.

Trust in Apple is good…

However, iCloud Private Relay is now regarded as a particularly trustworthy service: Users who come via the service always need to verify iCloud+ access, which is intended to identify them as “real users”. That’s why Apple’s IPs for a private relay are on some whitelists, i.e. they are let through by default by click fraud prevention systems. This is exactly what scammers are supposed to take advantage of. This goes so far that the IP addresses are used as part of automated bidding processes (programmatic advertising).

“According to Pixalate’s observations, a common method for exploiting iCloud Private Relay appears to be the fraudulent insertion of [such] IPv6 and IPv4 addresses in digital advertising quote requests.” Pixalate dubbed this method of ad fraud “iP64”. The result is that the anti-click fraud systems “blindly trust” these bids. Attackers could fraudulently use large parts of the private relay traffic, they believe. In August, an enormously high spoofing rate was discovered.