Login is restricted to DCN Publisher Members. If you are a DCN Member and don't have an account, register here.

Digital Content Next logo


InContext / An inside look at the business of digital content

The four types of domain spoofing

March 28, 2018 | By Alan Krumholz, Director, Data Science Fraud Lab—Integral Ad Science @integralads

“More than $1m lost in revenue due to domain spoofing,” “FT warns advertisers after discovering high levels of domain spoofing,” “Domain spoofing remains a huge threat to programmatic.” These are just a handful of the dire headlines you’ve probably seen scrolling through your feed in the past year blaring warnings about the rising threat of an insidious form of ad fraud called domain spoofing. If, after reading a few of these, you’re tempted to hide under your desk, we won’t blame you. After all, most outlets focus on the massive costs and increasingly common occurrence of domain spoofing without really unpacking what it is, how it’s accomplished, and how it can be addressed.

The simple definition of domain spoofing, “a practice through which fraudsters pass off low quality inventory as a high-quality or premium site” is a useful crutch for explaining the basic concept, but it doesn’t really explain the method. Domain spoofing isn’t monolithic. This type of fraud actually falls into four main categories, two of which are fairly simple and two of which that are more sophisticated. Let’s break it down:

Simple Domain Spoofing

1. URL Substitution

How it works: The simplest form of domain spoofing is also the easiest to detect. Fraudsters deceive the advertisers at bid time by substituting a fake URL through the exchange or ad network that’s hosting the auction. In this instance, fraudsters aren’t actually doing much to cover their tracks. The ad is going to serve on a different site than the one you bid on.

How to stop it: Fraudsters engaged in this form of domain spoofing are relying on advertisers not to check their work. Reconciling bids with reported impressions will quickly reveal discrepancies. However, for high volume advertisers, that kind of manual reconciliation can’t always happen efficiently. By sharing data with a third-party verification service such as IAS it is possible to detect ads running on any unapproved URLs which will reliably detect and report this type of spoofing.

2. Cross-domain embedding

How it works: Fraudsters pair together two sites, one with high traffic and low quality content and another with low traffic and totally safe content. Using a custom IFrame they are able to open an ad-sized version of the safe site within the unsafe site, exposing the ad to that site’s higher traffic volume. This tactic is favored by publishers who own sites containing unfavorable material like pornography, fake news, or hate speech communities, all of which can attract large amounts of traffic but are difficult to monetize with traditional brands. Operators either partner with low-traffic sites in a profit sharing arrangement or simply operate the low-traffic site themselves as a front.

How to stop it: Unfortunately, manual reconciliation isn’t likely to catch this type of spoofing since the ad is actually being served to a safe site which is then being opened within an unsafe environment. However, a third-party verification partner can tell where the user’s browser actually is and compare that URL to the URL to which the ad was served, thus identifying this type of spoofing.

Complex Domain Spoofing

1. Custom Browsers

How it works: Using a custom browser, bots can visit any site on the internet, including sites that aren’t reachable using commercial browsers. These bots can make the URL of the site that a user is visiting appear to be a different, seemingly premium site. So when an ad reads the URL from the browser it will be served on, it reports back the spoofed URL.

How to stop it: The flexibility of these bot driven custom browsers provides the foundation for their undoing. For example, IAS verification and measurement solutions can single out and block this type of activity with our browser and device matching technology which helps us to identify non-human browsers.

2. Human browsers

How it works: This type of domain spoofing is similar to common forms of adware. When a human browser visits a premium site on an infected machine, malware will inject an ad inside the page. Operators of premium sites aren’t paid for these injected ads. Instead, fraudsters collect the revenue.

How to stop it: This type of fraud is difficult to detect on the page. Currently, solutions like ads.txt can provide some relief by offering greater control over the way ads are transacted upon and exchanged. However, because these browsers are able to visit normally non-dibrowsable sites it’s possible to detect this type of activity by looking for reported URLs that match sites that a human browser could not visit.

The Diagnosis

Domain spoofing presents a unique challenge for the buy and sell-side alike. Whether it’s committed through simple dishonesty at the bid level or through more complex means involving malware, the cost in both industry trust and advertising dollars – equal to nearly $16.4 billion in 2017 – is significant. Verification technology can help to eliminate or mitigate these executions of domain spoofing, but the underlying cause also needs to be addressed.

The fundamental challenge of domain spoofing is that individuals are able to offer inventory to which they have no right. The practice of reselling vastly expands the lists of individuals approved to trade the impressions of premium brands making it easier to obscure this type of fraud. As we continue to mitigate this type of fraud at the technical level there is also a need for greater controls at the market level to put a stop to these transactions on a more permanent basis.

Liked this article?

Subscribe to the InContext newsletter to get insights like this delivered to your inbox every week.