The ad tech industry faces a lot of challenges as it evolves to accommodate both advertisers and publishers. Arguably, the greatest thorn in the industry’s side is ad fraud, and out of all the various types of ad fraud, domain spoofing remains the most prominent—and biggest pain in the you-know-what—for all the industry players involved.
However, it should be noticed that out of everyone who participates within the ad tech industry, publishers get hit the hardest by ad fraud and domain spoofing.
This is primarily because advertisers can pause or cancel their campaigns once they’ve become aware of ad fraud activity. From there, they’ll typically avoid any sites associated with fraudulent alerts which essentially results in innocent publishers becoming blacklisted, so to speak, losing out on their once-loyal following.
Since domain spoofing is known to be the most common type of ad fraud, we’re going to go into detail about what it is, how it works, and what publishers like you can do to prevent it.
Keep reading to learn more.
What Exactly Is Domain Spoofing?
Put simply, domain spoofing is when a cybercriminal fakes a website or email domain to try and fool users. Their objective is to trick users into engaging with a phishing scam by posing as a legitimate website or email to gain their trust and obtain their valuable and personal information.
Domain spoofing is always used in phishing attacks, and the goal is to always steal credentials, credit card details, social security numbers, or to trick the victim into sending money to the scam artist. In regards to the ad tech world, domain spoofing is used to commit ad fraud by tricking advertisers into shelling out money for ads on a bogus website. (FYI—the advertisers never get those ads).
It should be noted that domain spoofing is not the same as DNS spoofing, cache poisoning, or BGP hijacking. These are other ways in which cybercriminals get users to engage with a fake website for personal gain. They’re also much more complex than faking a domain name and the look of a legitimate copy-cat website.
How Domain Spoofing Affects Publishers
How exactly does domain spoofing affect publishers?
Here’s an example:
In 2017, The Financial Times ran an audit of their website and found that ad fraudsters had spoofed their domains and were selling display inventories on multiple ad exchanges (10 to be exact) as well as 15 video ads on 15 different exchanges.
The Financial Times does not sell programmatic video ads—ever.
Additionally, the website that collected money from these ad exchanges did not actually belong to FT.com. Therefore, FT.com will never see that money, which was estimated to be over $1.3 million for each month the domain spoofing continued.
How Does Domain Spoofing Work?
Generally speaking, domain spoofing works to compromise an ad exchange, ad network, or an SSP. The malicious act can be carried out through several different inner-mechanisms and transactional capabilities, depending on the schematics of the exchange.
Since there’s a fair amount of ambiguity in real-time bidding auctions, domain spoofers are able to move freely and post up the spoofed URL at the time of bidding rather than the legitimate one.
Additionally, there are several specific types of domain spoofing:
Malware
Malware is the most common way of domain spoofing because it doesn’t require cybercriminals to corrupt ad tags or header information to mess with the real-time bidding (RTB). They can simply “bug” the real website domains by getting users to download the malware by masking it as abstract software.
For example, you may end up getting redirected to a new window where a software file suddenly begins downloading without warning or permission. This is usually an attempt to bug your browser, although not all redirects will result in a malware attack.
From there, the cybercriminals will continuously inject ads into the websites that your users are viewing and collect on the impressions.
Custom browsers
RTB mostly depends on the header information that’s sent by the browser, which also allows advertisers to get acquainted with the sites being visited from that information alone.
This is another place where ad fraudsters capitalize as they can create custom browsers that are able to copy the header information from premium websites to yank their ad dollars. This results in the ads being served on low-quality and random sites rather than the intended ones.
Cross-domain embedding
Nesting iframes are another spoofing approach. In this case, the fraudsters will have one of two websites: One with high traffic and low-quality, unsafe brand content or one with low traffic and high-quality, brand-safe content.
They’ll purposely nest the iframes to show the ads to the low-quality site while advertisers bid for the high-quality site. Essentially, it’s a bait and switch move where ad dollars are being yanked from the parent domain even though the ads are not actually being displayed there.
URL substitution
URL substitution happens simply because publishers tend to reveal their domain ID and site ID within the RTB environment. This lends cybercriminals the opportunity to spoof their inventories, pretending to be the actual publisher’s website. From there, they’re able to deceive advertisers with a fake URL during the time of bidding by showing the spoofed domain in the ad exchanges.
How to Detect and Stop Domain Spoofing?
There are a handful of things that publishers can do to protect themselves against domain spoofing to ensure their websites remain safe. Here are a few strategies you can try out right away:
- Add an Ads.txt file to your root domain to gain better control over the ads being served by your ad tech partners
- Partner with an ad verification and measurement company with a good reputation, such as WhiteOps or Integral Ad Science to automatically detect advanced domain spoofing
- Restore the bid relationships with the reported ad impressions to find any other discrepancies
Unfortunately, there’s no way to get rid of ad fraudsters completely, especially now that ad spending has increased, attracting more and more cybercriminals to the ad tech world. Aside from the prevention solutions listed above, it’s up to the players within the ad tech industry to be as transparent as possible to guard against fraudulent activity within the ad exchanges.