How Ads.txt Can Stop Domain Spoofing

A brief primer on Domain Spoofing

Domain spoofing is a form of ad fraud in which fraudulent publishers, ad networks or exchanges try to collect higher CPM by misrepresenting a low quality site (and the nature of its traffic) to resemble a legitimate, high quality website. Domain spoofing cheats media buyers (i.e., advertisers) by getting their ads displayed on low-quality or undesirable sites. After all, premium advertisers would want their ads to be shown on high-quality sites that are visited by certain demographics with potential customers for their products or services.

Domain spoofing fraud takes advantage of technical loopholes in the real-time bidding (RTB) system used in the programmatic advertising market. The main loophole that permits domain spoofing is the fact that ad serving systems implicitly trust web browsers when they convey page header information to advertisers about what site is being visited. Fraudsters started taking advantage of advertisers’ trust in browser reporting, and developed browsers that would spoof the header information of a legitimate website, while the actual ad inventory would be served on low-quality or illegitimate sites.

Another approach to domain spoofing involves iframes, which are supposed to display information regarding the parent page on which they’re hosted. Fraudsters are able to misrepresent the parent domain by nesting iframes in a way that makes the legitimate parent site appear to be hosting the content, when in reality the iframe is displaying content from an illegitimate or low-quality site.

This way, fraudsters cheat ad buyers into thinking that they are purchasing inventory on a high-quality site, while essentially gaming the system to obtain much higher CPM pricing. Domain spoofing using iframes has become much less prevalent now because popular Webkit-based browsers such as Chrome and Safari now protect against nested iframes by determining what page an iframe is actually being displayed on.

Ads.txt to the rescue

In an effort to provide transparency to ad buyers in the programmatic advertising ecosystem, the Interactive Advertising Bureau (IAB) proposed ads.txt as a solution to domain spoofing and counterfeiting. Ads.txt stands for ‘Authorized Digital Sellers’ and constitutes an easy, no-cost option for publishers and distributors to openly list the entities they have authorized to sell their ad inventory.

To make ads.txt work, publishers are required to add a text file to their site, which contains a list of the vendors approved to sell their inventory. Ad buyers can access the ads.txt information for participating publishers, cross-check the approved vendor list it contains, and ensure they’re buying from a licensed provider

Publishers who use ads.txt can take control over their ad inventory and make it extremely difficult for fraudulent operators to benefit from the sale of fake inventory on the programmatic marketplace. This will enable a greater portion of ad expenditure going to site owners through the approved channels, and reduce the spending loss of advertisers on counterfeit inventory.

A growing number of publishers are now incorporating ads.txt into their sites to deter fraudsters. Google, the biggest player in the ad ecosystem, has started requiring publishers to implement the ads.txt program, and will downgrade the search rank of sites that do not feature it. The idea is that advertisers will stop trusting publishers which do not provide transparency about their ad partners, and adoption of ads.txt will lead to greater confidence in the publishing ecosystem.

Originally published at www.shieldsquare.com on February 23, 2018.