Domain Spoofing – Working, Types, Examples, and Prevention.

If you’re familiar with the adtech industry, then you’ve probably heard hundreds of complaints, and even, lawsuits against ad fraud. Of all ad frauds, domain spoofing remains the most prevalent in the industry. And, when you know ad fraud alone could cost us $42 billion this year, it’s fair to be concerned.

Though both advertisers and publishers are indeed affected by the ad fraud schemes, publishers’ wounds are more severe than that of advertisers.

Why?

An advertiser can pause/cancel the underhand campaigns as soon as they’re aware of the fraudulent activity. Next time, they tend to avoid the sites from the last campaign (think, blacklisting). On the other hand, a credible publisher will lose the readers, advertisers, and some potential contributors, forever.

Of course, unless you’re Facebook or Google, it’ll be nearly impossible to gain the users and advertisers back. Do you know what’s worse?

Mid-sized and small publishers are forced to battle against the ad fraudsters without any advanced technologies (as they can’t afford one) and experience. That being said, premium publishers have their own problem with ad fraudsters, and most of the time, a premium is an ideal target for fraudulent networks.

We all know that’s the quickest way to make bucks and go AWOL. We’ve faced the issues and seen the impact, first-hand.

“Domain spoofing is probably the most common type of ad fraud.”

– eMarketer

With the rise of technology and digital ad budget, ad fraudsters have also evolved and in fact, there are 30+ types of ad fraud today. However, domain spoofing is the most common type of ad fraud. If you want to prevent ad fraud, you should start with domain spoofing. 

Table of Contents

• What is Domain Spoofing?
• Domain Spoofing Examples
• How Does The Domain Spoofing Work?
• Types of Domain Spoofing
• How to stop domain spoofing?
• Conclusion

So, What is Domain Spoofing?

As the name implies, domain spoofing happens when a low-quality publisher disguises itself as a premium publisher in a programmatic marketplace. Spoofing a premium publisher makes the ad impressions more valuable and the demand will also be typically high.

Advertisers believe their ads are showing up at the premium websites, for the right audience. However, the fraudsters will show them up at the low-quality websites, for the bots (or sometimes, a random audience).

Methbot, the most profitable ad fraud operation to date, has spoofed 250,267 distinct URLs to falsely represent inventory.

– WhiteOps

Generally, fraudsters build a domain that closely resembles the URL of legitimate publishers. Not only do they create fake domains, but they can also create a duplicate copy of the website’s content.

Domain Spoofing Examples

How Domain Spoofing Affects Publishers?

The Financial Times (FT.com) ran an audit in 2017 and found that FT.com has been spoofed and fraudsters via these spoofed domains were selling display inventories on 10 ad exchanges and video ads on 15 exchanges. The FT.com doesn’t sell video ads programmatically at all.

The money will never reach the publisher as the website is not even theirs. The publisher estimated the fraudsters were making over $1.3 million every month by claiming that they’re the Financial Times.

Estimated Loss: $1.3 Million Per Month.

“The scale of the fraud we found is jaw-dropping. The industry continues to waste marketing budgets on what is essentially organized crime.”

-Anthony Hitchings, Digital Advertising Operations Director, The Financial Times (Src)

Similarly, News UK conducted a blackout test to measure the influence of fraudsters on its brand in 2018. Just in 2 hours, News UK found out around 2.9 million bids are made on domains pretending to be News UK titles (The Sun, and The Times of London).  

The publisher estimated that 650,000 ad requests were made each hour and $950,000 was wasted every month on the spoofed domains.

Estimated Loss: $950,000 Per Month.

“We’re all victims in one way or another. If the SSPs hadn’t taken it seriously, then it might have been different, but they were very keen to address it.”

-Ben Walmsley, Digital Commercial Director, News UK (Src)

How Does The Domain Spoofing Work?

Though the inner-mechanism and transactional capabilities vary based on the machinations, generally, domain spoofing works by compromising the ad exchange or ad network or SSP. The domain spoofers capitalize on the ambiguity of real-time bidding and supply the spoofed URL instead of the legitimate one at the bid time.

Source: WhiteOps/Methbot Operation.

What are the Types of Domain Spoofing

Generally, there are four types of Domain spoofing: 

1. Malware
2. Custom Browsers
3. Cross-domain Embedding
4. URL Substitution

Domain spoofing can be easy-to-detect and sometimes, sophisticated enough to bypass the ad fraud prevention vendors. Hence, it’s imperative to know how can you be tricked. Luckily, domain spoofing isn’t intractable and you can deal with it one way or another.

Let’s start with the most common type of domain spoofing.

– Malware

To mess up the RTB, fraudsters don’t essentially need to corrupt the header information or ad tag. They can bug the real browsers by making the users download the malware abstractedly. For instance, you might have come across a situation where you’ve been redirected (to a new window) and suddenly a software or file will start downloading automatically.

Not all the redirects result in malware, but some are intended to bug the browser.

What happens then?

Fraudsters will keep on injecting ads into websites that the users view and no, the money won’t end up in the publishers’ hands. If you are viewing the content on the New York Times, the malware can send out a bid saying we got an impression of the user from the nytimes.com and will indeed sell it for a lower-than-actual price.

– Custom Browsers

RTB relies on the header information sent by the browser (up to an extent) and typically, advertisers get to know the sites being visited from that information. Spoofers take advantage of this and developed custom browsers that could copy the header information of the premium legitimate sites to capture the ad dollars. At the end of the day, ads will be served on random low-quality sites instead of the intended sites.

– Cross-domain Embedding

Another simple approach used by fraudsters to spoof domains is nesting iframes. Suppose the fraudsters have two websites – one with high traffic and low-quality or non-brand safe content, another one with low traffic and high-quality and brand-safe content.

The fraudsters will nest iframes to show the ads to the low-quality site, while the advertisers bid for the high-quality content site. In other words, the parent domain is not the one where the ads are being displayed. Instead, the nested domain (low-quality site) shows the ads to its readers and captures the ad dollars in the name of the parent domain.

– URL Substitution

To make things worse, in the RTB ecosystem, publishers reveal their domain ID and label of their site ID occasionally. Fraudsters use this opportunity to spoof the inventories and represent themselves as “forbes.com” (for example). Spoofers usually deceive the advertisers by substituting the fake URL at the bid time by supplying a spoofed domain to the ad exchanges.

How to Detect and Stop Domain Spoofing?

With the right strategy, publishers can protect themselves against domain spoofers and make sure their website is safe. Here’s a list of some of the recommendations for you:

1. Add Ads.txt file on your root domain in order to offer greater control over the ads served by the ad-tech partners.
2. Partner with the right ad verification and measurement company like Integral Ad Science and WhiteOps to detect advanced domain spoofing types.
3. Reconcile bids with the reported ad impressions in order to detect the discrepancies.

Conclusion

Obviously, the increasing ad spends attracted the attention of fraudsters and now, we’re in the need of working towards a solution. If you believe in the blockchain, you have to wait, and here’s the proof.  So far, Ads.txt, initiated by the IAB Tech Lab is the most reliable way to prevent losing your impressions to spoofers.

“I think ad exchanges are in the best position to filter sellers”

– Dan Davies, SVP and director of media sciences, MullenLowe’s Mediahub.

However, it couldn’t eradicate 100% of the domain spoofing. As we evolve, fraudsters upgrade their technology. And, when we see Methbots, it is apparent that fraudsters know what they’re doing. We believe it’s up to all of the players in the ad tech chain to bring transparency and eradicate the practice. Interested in receiving more insights every week, here you go.