1 0 6000 0 600 120 30 https://headerbidding.co 960 0

Domain Spoofing – Working, Types, Examples, and Prevention.

Domain Spoofing
“Domain spoofing is probably the most common type of ad fraud”

If you’re familiar with the adtech industry, then you’ve probably heard hundreds of complaints, and even, lawsuits against ad fraud. Of all ad frauds, domain spoofing remains the most prevalent in the industry. And, when you know ad fraud alone could cost us $19 billion this year, it’s fair to be concerned.

Though both advertisers and publishers are indeed affected by the ad fraud schemes, publishers’ wounds are more severe than that of advertisers.


An advertiser can pause/cancel the underhand campaigns as soon as they’re aware of the fraudulent activity. Next time, they tend to avoid the sites from the last campaign (think, blacklisting). On the other hand, a credible publisher will lose the readers, advertisers, and some potential contributors, forever.

Of course, unless you’re Facebook or Google, it’ll be nearly impossible to gain the users and advertisers back. Do you know what’s worse?

Mid-sized and small publishers are forced to battle against the ad fraudsters without any advanced technologies (as they can’t afford one) and experience. That being said, premium publishers have their own problem with ad fraudsters and most of the time, a premium is an ideal target for fraudulent networks.

ad fraud challenges

We all know that’s the quickest way to make bucks and go AWOL. We’ve faced the issues and seen the impact, first-hand.

“Domain spoofing is probably the most common type of ad fraud”

– eMarketer

With the rise of technology and digital ad budget, ad fraudsters have also evolved and in fact, there are 30+ types of ad fraud today. However, domain spoofing is the most common type of ad fraud. If you want to prevent ad fraud, you should start with domain spoofing. 

Table of Contents


So, What is Domain Spoofing?

As the name implies, domain spoofing happens when a low-quality publisher disguises itself as a premium publisher in a programmatic marketplace.

Spoofing a premium publisher makes the ad impressions more valuable and the demand will also be typically high.

Advertisers believe their ads are showing up at the premium websites, for the right audience. The fraudsters will show them up at the low-quality websites, for the bots (sometimes, a random audience).

Methbot, the most profitable ad fraud operation to date, has spoofed 250,267 distinct URLs to falsely represent inventory

– WhiteOps

Domain Spoofing Examples

The Financial Times (FT.com) ran an audit last year and found that FT.com has been spoofed and spoofed domains were selling display inventories on 10 ad exchanges and video ads on 15 exchanges. The FT.com doesn’t sell video ads programmatically at all.

The money will never reach the publisher as the website is not even theirs. The publisher estimated the fraudsters were making over $1.3 million every month by claiming that they’re the Financial Times.

Estimated Loss: $1.3 Million Per Month.

Similarly, News UK conducted a blackout test to measure the influence of fraudsters on its brand. Just in 2 hours, News UK found out around 2.9 million bids are made on domains pretending to be News UK titles (The Sun, The Times of London).  

The publisher estimated that $950,000 was wasted every month on the spoofed domains.

Estimated Loss: $950,000 Per Month.

How Does The Domain Spoofing Work?

Though the inner-mechanism and transactional capabilities vary based on the machinations, generally, domain spoofing works by compromising the ad exchange or ad network or SSP. The domain spoofers capitalize on the ambiguity of real-time bidding and supply the spoofed URL instead of the legitimate one at the bid time.

How domain spoofing works?

Source: WhiteOps/Methbot Operation.

Types of Domain Spoofing

Domain spoofing can be easy-to-detect and sometimes, sophisticated enough to bypass the ad fraud prevention vendors. Hence, it’s imperative to know how can you be tricked. Luckily, domain spoofing isn’t intractable and you can deal with it one way or another.

Let’s start with the most common type of domain spoofing.


To mess up the RTB, fraudsters don’t essentially need to corrupt the header information or ad tag. They can bug the real browsers by making the users download the malware abstractedly. For instance, you might have come across a situation where you’ve been redirected (to a new window) and suddenly a software or file will start downloading automatically.

Not all the redirects result in malware, but some are intended to bug the browser.

What happens then?

Fraudsters will keep on injecting ads into websites that the users view and no, the money won’t end up in the publishers’ hands. If you are viewing the content on the New York Times, the malware can send out a bid saying we got an impression of the user from the nytimes.com and will indeed sell it for a lower-than-actual price.

Custom Browsers

RTB relies on the header information sent by the browser (up to an extent) and typically, advertisers get to know the sites being visited from that information. Spoofers take advantage of this and developed custom browsers that could copy the header information of the premium legitimate sites to capture the ad dollars. At the end of the day, ads will be served on random low-quality sites instead of the intended sites.

Cross-domain Embedding

Another simple approach used by fraudsters to spoof domains is nesting iframes. Suppose the fraudsters have two websites – one with high traffic and low-quality or non-brand safe content, another one with low traffic and high-quality and brand-safe content.

The fraudsters will nest iframes to show the ads to the low-quality site, while the advertisers bid for the high-quality content site. In other words, the parent domain is not the one where the ads are being displayed. Instead, the nested domain (low-quality site) shows the ads to its readers and captures the ad dollars in the name of the parent domain.

– URL Substitution

To make things worse, in the RTB ecosystem, publishers reveal their domain ID and label of their site ID occasionally. Fraudsters use this opportunity to spoof the inventories and represent themselves as “forbes.com” (for example). Spoofers usually deceive the advertisers by substituting the fake URL at the bid time by supplying a spoofed domain to the ad exchanges.


Obviously, the increasing ad spends attracted the attention of fraudsters and now, we’re in the need of working towards a solution. If you believe in the blockchain, you have to wait and here’s the proof.  So far, Ads.txt, initiated by the IAB Tech Lab is the most reliable way to prevent losing your impressions to spoofers.

“I think ad exchanges are in the best position to filter sellers”

– Dan Davies, SVP and director of media sciences, MullenLowe’s Mediahub.

However, it couldn’t eradicate 100% of the domain spoofing. As we evolve, fraudsters upgrade their technology. And, when we see Methbots, it is apparent that fraudsters know what they’re doing. We believe it’s up to all of the players in the ad tech chain to bring transparency and eradicate the practice. Interested in receiving more insights every week, here you go. 

Automatad Team

At Automatad, we help publishers to monetize better without hampering the user experience. Our products are live across hundreds of publishers, earning them incremental ad revenue with every passing second. You can request a free audit to get an estimated revenue uplift today.

adtech glossary
Previous Post
Becoming Series
Becoming The New Yor...
Adtech Weekly Roundup
Next Post
Weekly Roundup: AMPH...
    Leave a Reply