Criminals exploit Apple’s iCloud Private Relay in ad fraud scheme

An army of bots currently pretending to be Apple users is surfing the web and “looking” at ads by exploiting Apple’s iCloud Private Relay, according to new research.

Apple's new iCloud Private Relay feature

Apple has said that the tool has “built-in fraud detection” and that digital advertising platforms can trust it, but the researchers say the fraud has only increased in the months since they first reported it to the company.

Thomas Germain for Gizmodo:

The new report finds that criminals are exploiting Apple’s Private Relay tool, a feature available on on Apple devices for users who subscribe to iCloud+. Turn it on, and Private Relay will hide your web browsing and assign you a dummy IP address to help stop companies from tracking you. Pixalate, the ad tech firm that authored the study, released Wednesday, says the problem will cost US advertisers an estimated $65 million in 2022 alone. The study finds that 90% of web traffic that looks like it’s coming from Private Relay is actually fraudulent.

The ad fraud is widespread, but the study found that the bots tend to cluster around groups of domains, and nine websites that display ads are affected in particular, including the websites for E! Online, ESPN, Major League Baseball, NBC News, and Weather.com.

Pixalate first reported on this problem in August, but the firm says the amount of fraud is accelerating. The problem is so bad that Shetty advised ad tech companies and websites to consider blocking Private Relay traffic altogether until there’s a better solution.

MacDailyNews Note: According to Apple, “Private Relay is designed to ensure only valid Apple devices and accounts in good standing are allowed to use the service. Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple.” More info here.

Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!

Shop The Apple Store at Amazon.

6 Comments

  1. Fine. Block all the Apple users who have – in large portion – money to spend on your products… we will go elsewhere. ESPN = less and less use from this guy. E!? Seriously. Weather Channel? Really?

    I’ll live. Moving on.

  2. “The study finds that 90% of web traffic that looks like it’s coming from Private Relay is actually fraudulent.”

    This stat is brutal and, if true, would be a solid reason for a company to block related traffic. Since Mark’s company has dropped precipitously since implementation of “relay,” it’s reasonable to think companies might “conspire” to overcome, but if the tool enables scumbags to enact scummbaggery, Apple needs to seriously tweak. It’s wonderful tech as proposed.

    1. With this report and a couple of others, Apple AT LEAST needs to quell the irregularities surrounding iCloud technologies. Time to bolt things down, before more features and expansion.

      No Tracking of the Indi? Maybe not:
      https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558

      iCloud’s Security for All? Windows users, not-so-much:
      https://9to5mac.com/2022/11/21/icloud-for-windows-photos-videos-strangers/

      Make security secure again.

  3. I will also add that Apple needs to rethink their Mail Privacy Protection feature. The “Protect Mail Activity” that works by hiding your IP address, does not work if your iPhone has it but your Mac is running OS 11.

    What happens is the phone is protected and downloads the remote content. If later you open the same email on your Mac, this feature is not there and the email and or IP address is captured. Could not understand why in the week after upgrading my phone that my junk email tripled. It was that. Thanks Apple.

    A little warning that both iPhone and Mac need to update simultaneously would have been helpful.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.