As reported by Gizmodo (opens in new tab), the ad tech firm Pixalate has discovered that cybercriminals have managed to weaponize Apple’s iCloud Private Relay for their own gain. The firm has dubbed this ad fraud scheme iP64 and it could end up costing advertisers in the U.S. more than $65 million by the end of this year. First announced back at Apple’s 2021 Worldwide Developers Conference, iCloud Private Relay is a privacy feature that is only available for iPhone and iPad users who subscribe to Apple’s iCloud Plus service. Essentially, it allows users to browse the web without revealing their real IP address, making it more difficult for sites and companies to track them online. According to Pixalate’s report (opens in new tab), 90% of the web traffic that appears to come from Private Relay is actually fake. If true, this is a really big deal as Apple has said on multiple occasions that its privacy tool has built-in fraud protection.  At the same time, Private Relay is designed in such a way that “only valid Apple devices and accounts in good standing are allowed to use the service”. However, Apple takes things a step further in its iCloud Private Relay Overview (opens in new tab) (PDF) stating: “Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple”.

How cybercriminals are using iCloud Private Relay to commit ad fraud

In its report, Pixalate says that cybercriminals are committing ad fraud by inserting iPv6 and IPv4 IP addresses from Private Relay into digital advertising bid requests. While Private Relay is designed to be used exclusively with Apple’s Safari browser, the firm found IP addresses from the service attached to Mozilla Firefox as well as to non-Apple devices that can’t even run Safari. During its investigation, Pixalate also observed Private Relay IP addresses coming from data centers as well as other browsers besides Safari which should be impossible. It also found Private Relay IP addresses that were part of a ‘bot ring’ where groups of users only visit a few websites or apps which is quite suspicious. Even though Apple says that Private Relay IP addresses shouldn’t change during a browsing session, Pixalate observed them changing multiple times. This is another sign of ad fraud as these schemes use IP addresses that change automatically to make them harder to detect and track. When it comes to the websites being targeted by this ad fraud scheme, Pixalate noticed that the bots used in it often visited E! Online, ESPN, Major League Baseball, NBC News and Weather.com quite frequently. Tom’s Guide has reached out to Apple regarding Pixalate’s report and we’ll update this article if and when we hear back.

Is iCloud Private Relay still safe to use?

Even though cybercriminals are allegedly using iCloud Private Relay to commit ad fraud, the service is completely safe to use. However, Pixalate is recommending that companies block IP addresses from the service for the moment to avoid falling victim to ad fraud. Thankfully, you can quickly turn off Private Relay if a website or network doesn’t work with the service according to a support document (opens in new tab) from Apple. To do this, go to Settings > Wi-Fi and tap the More Info button next to the Wi-Fi network you’re currently connected to. Scroll down and toggle Limit IP Address Tracking to off to disable Private Relay. If you’re on mobile data, disabling the feature works the same way, but you need to go to Settings > Cellular > Cellular Data Options and toggle Limit IP Address Tracking to off. Even though iCloud Plus is quite cheap at $0.99 a month for 50GB of storage, $2.99 for 200GB and $9.99 for 2TB, you might be better off with one of the best VPN services if you just want to hide your IP and avoid being tracked online. A VPN also gives you greater control over what country or region your devices appear to be in which allows you to bypass region blocks if you want to access the best streaming services while traveling.

iCloud Private Relay reportedly abused in ad fraud scheme   what you need to know - 84iCloud Private Relay reportedly abused in ad fraud scheme   what you need to know - 12iCloud Private Relay reportedly abused in ad fraud scheme   what you need to know - 12iCloud Private Relay reportedly abused in ad fraud scheme   what you need to know - 14