What Is Domain Spoofing?

Reading time: 5 minutes

The ad tech[6] industry faces a lot of challenges as it evolves to accommodate both advertisers and publishers. Arguably, the greatest thorn in the industry’s side is ad fraud[7], and out of all the various types of ad fraud, domain spoofing remains the most prominent—and biggest pain in the you-know-what—for all the industry players involved.

However, it should be noticed that out of everyone who participates within the ad tech industry, publishers get hit the hardest by ad fraud and domain spoofing. 

This is primarily because advertisers can pause or cancel their campaigns once they’ve become aware of ad fraud activity. From there, they’ll typically avoid any sites associated with fraudulent alerts which essentially results in innocent publishers becoming blacklisted, so to speak, losing out on their once-loyal following.

Since domain spoofing is known to be the most common type of ad fraud, we’re going to go into detail about what it is, how it works, and what publishers like you can do to prevent it.

Keep reading to learn more.

What Exactly Is Domain Spoofing?

Put simply, domain spoofing is when a cybercriminal fakes a website or email domain to try and fool users. Their objective is to trick users into engaging with a phishing scam by posing as a legitimate website or email to gain their trust and obtain their valuable and personal information.  

Domain spoofing is always used in phishing attacks, and the goal is to always steal credentials, credit card details, social security numbers, or to trick the victim into sending money to the scam artist. In regards to the ad tech world, domain spoofing is used to commit ad fraud by tricking advertisers into shelling out money for ads on a bogus website. (FYI—the advertisers never get those ads).

It should be noted that domain spoofing is not the same as DNS spoofing, cache poisoning, or BGP hijacking. These are other ways in which cybercriminals get users to engage with a fake website for personal gain. They’re also much more complex than faking a domain name and the look of a legitimate copy-cat website.   

How Domain Spoofing Affects Publishers

How exactly does domain spoofing affect publishers? 

Here’s an example:

In 2017, The Financial Times ran an audit of their website and found that ad fraudsters had spoofed their domains and were selling display inventories on multiple ad exchanges (10 to be exact) as well as 15 video ads[8] on 15 different exchanges. 

The Financial Times does not sell programmatic video ads—ever.

Additionally, the website that collected money from these ad exchanges did not actually belong to FT.com. Therefore, FT.com will never see that money, which was estimated to be over $1.3 million for each month the domain spoofing continued.

How Does Domain Spoofing Work?

Generally speaking, domain spoofing works to compromise an ad exchange[3], ad network[4], or an SSP[1]. The malicious act can be carried out through several different inner-mechanisms and transactional capabilities, depending on the schematics of the exchange. 

Since there’s a fair amount of ambiguity in real-time bidding[2] auctions, domain spoofers are able to move freely and post up the spoofed URL at the time of bidding rather than the legitimate one.

Additionally, there are several specific types of domain spoofing:


Malware is the most common way of domain spoofing because it doesn’t require cybercriminals to corrupt ad tags or header information to mess with the real-time bidding (RTB). They can simply “bug” the real website domains by getting users to download the malware by masking it as abstract software. 

For example, you may end up getting redirected to a new window where a software file suddenly begins downloading without warning or permission. This is usually an attempt to bug your browser, although not all redirects will result in a malware attack.

From there, the cybercriminals will continuously inject ads into the websites that your users are viewing and collect on the impressions. 

Custom browsers

RTB mostly depends on the header information that’s sent by the browser, which also allows advertisers to get acquainted with the sites being visited from that information alone. 

This is another place where ad fraudsters capitalize as they can create custom browsers that are able to copy the header information from premium websites to yank their ad dollars. This results in the ads being served on low-quality and random sites rather than the intended ones.

Cross-domain embedding

Nesting iframes are another spoofing approach. In this case, the fraudsters will have one of two websites: One with high traffic and low-quality, unsafe brand content or one with low traffic and high-quality, brand-safe content.

They’ll purposely nest the iframes to show the ads to the low-quality site while advertisers bid for the high-quality site. Essentially, it’s a bait and switch move where ad dollars are being yanked from the parent domain even though the ads are not actually being displayed there. 

URL substitution

URL substitution happens simply because publishers tend to reveal their domain ID and site ID within the RTB environment. This lends cybercriminals the opportunity to spoof their inventories, pretending to be the actual publisher[9]’s website. From there, they’re able to deceive advertisers with a fake URL during the time of bidding by showing the spoofed domain in the ad exchanges. 

How to Detect and Stop Domain Spoofing?

There are a handful of things that publishers can do to protect themselves against domain spoofing to ensure their websites remain safe. Here are a few strategies you can try out right away:

  • Add an Ads.txt[10] file to your root domain to gain better control over the ads being served by your ad tech partners
  • Partner with an ad verification and measurement company with a good reputation, such as WhiteOps or Integral Ad Science to automatically detect advanced domain spoofing
  • Restore the bid relationships with the reported ad impressions to find any other discrepancies[5] 

Unfortunately, there’s no way to get rid of ad fraudsters completely, especially now that ad spending has increased, attracting more and more cybercriminals to the ad tech world. Aside from the prevention solutions listed above, it’s up to the players within the ad tech industry to be as transparent as possible to guard against fraudulent activity within the ad exchanges.

1. Supply-Side Platform [SSP] ( SSP ) A technology platform that provides outsourced media selling and ad network management services for publishers. The business model resembles that of an ad network in that it aggregates ad inventory, however they serve publishers exclusively and do not provide services for advertisers (e.g., FreeWheel, SpotX).
2. real-time bidding. Real-time bidding is a technology-driven auction process where ad impressions are bought and sold almost instantaneously. Once an advertiser wins a bid for an ad impression, their ad is shown on a website. Real-time bidding plays a crucial part in the digital advertising ecosystem together with other players such as ad exchanges and supply side platforms.
3. ad exchange. An ecosystem through which advertisers, publishers, and networks meet and do business on a unified platform or system. An ad exchange allows advertisers and publishers to speak the same language in order to exchange data, set prices, and ultimately serve an ad. Popular Ad Exchanges include Google, OpenX, The Rubicon Project and AppNexus.
4. ad network. A company that serves as a broker between a group of publishers and a group of advertisers by aggregating inventory and audiences from numerous sources in a single buy. Ad networks traditionally aggregate unsold inventory from publishers in order to offer advertisers a consolidated and generally less expensive pool of impressions, but they can have a wide variety of business models and clients. In the context of ad trafficking and ad tech, the term "network" is generally taken to mean an ad network.
5. discrepancies. Discrepancies happen when there are revenue and impression discrepancies between ad servers and ad network dashboards. It is critical to know and understand ad serving so that you can maximize ad revenues as a publisher.

Recent Articles

Related Articles

Leave A Reply

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay connected

Don't miss out on the latest news, events and special announcements.

By submitting this form, you agree that you've read and accept our Privacy Policy as well as to receive communications from HeaderBidding.com. You may unsubscribe at any time.