Domain spoofing: Why it happens, how it happens and how to stop it
February 12th, 2015 | Andrew Casale, President & CEO, Index Exchange
Commonly and with little difficulty, bad actors are defrauding the digital marketplace. They’re playing tricks to make exchanges think they’re selling inventory from reputable, premium publishers – often at bargain basement rates – when in fact the domain name offering the inventory provides only junk, creating problems for everyone in the business.
We’re not talking about bot fraud here. It’s called domain spoofing. The underlying impressions and users are real. The issue involves taking an undervalued asset – a leaderboard on a torrent site, for example – and masquerading it as a premium asset, such as that same leaderboard appearing on a first-tier news site.
When this topic comes up, discussion normally focuses on how domain spoofing harms the buy side. It inundates programmatic buys with junk inventory, throws off KPIs, violates the implied security of whitelists and effectively steals budgets from marketers. But in reality, the process damages digital publishers similarly.
While some publishers today struggle with bottom lines, bad actors take millions of dollars out of the marketplace on the backs of their namesakes. If a genuine impression costs $10 and a fake one costs $1, and both bear the same premium publisher domain name, the $1 impression will siphon budget away from the rightful publisher’s wallet.
Furthermore, when the buyer realizes they’ve bought a bad impression, they might not realize they have been duped. They could simply blame and punish the credible publisher, removing domains from whitelists or applying them to blacklists. It’s a scary thought, but in practice it’s reasonable to imagine it happens every day.
Why It Happens
Why is domain spoofing so pervasive? Let’s start with the presupposition that marketers and agencies hold established, premium publishers in high esteem. Experienced marketers know these publishers are suitable places for their brands to appear, so they place premium publishers on whitelists.
Whitelists are intended to be a strong line of defense for brand safety. They also benefit premium publishers. Domains with good reputations enjoy a wider array of brands bidding on them and higher-than-average bid prices.
Unfortunately, the reliance on whitelists also opens a door for domain spoofing. If a seller with no credibility or quality content has the option of registering their true identity, which is cheaper, vs. pretending to be someone else, who is more valuable, they will find a way to pretend. Don’t ever underestimate how clever and greedy the pretenders can be.
How It Happens
The most common methods employed by domain spoofers fall into two categories. The first method involves “manufactured” impressions enabled by malware that individual users accidentally install on their computers. The malware injects ads into websites the user normally views. If a user is browsing The New York Times website, malware can inject an ad of its own atop the website, put the ad out for bid in an exchange, identify the user as being on the Times’ site and sell the ad for an unbeatably low price that’s naturally highly desirable to a buyer. But the ad should never have been delivered to the user’s computer in the first place because it comes from the malware, not the Times.
The scary part about this method is it can be very hard to detect these junk impressions, and just as difficult to tell exactly how pervasive and damaging they are, even using verification techniques. The user is real and they’re actually on a premium publisher site, but the price of the inventory is often far out of whack and the money never reaches the intended publisher.
The second method involves bad actors modifying markups in ad tags to reflect any domain they want. When you’re a publisher working with an exchange, the exchange gives you an ad tag that contains code to identify the domain the user is on. Exchanges trust that their markup is accurate but the code can be deleted and replaced with a static domain identifier, enabling bad actors to impersonate anyone. All they need to do is alter a bit of code and start trading. We often see this used by piracy sites to avoid blacklists. Buyers routinely blacklist piracy sites because they don’t want to risk associating their brands with piracy. The problem is that piracy sites have countered by modifying ad tags to present themselves as something other than what they truly are.
How To Stop It
Domain spoofing is so prolific because programmatic today primarily relies on domain names to infer trust.
Publishers have the power to start addressing this practice both meaningfully and proactively by monitoring and protecting their identities. To do this, a publisher can retain the services of a DSP, as many already do through their own audience extension efforts, and direct a campaign to only bid on their domain portfolio. If they see their domains in exchanges where they know they’re not doing business, it’s time to pull in the legal team and start sending letters. This will put pressure on exchanges to think about how they can better avoid unwanted spoofers.
Another solution to spoofing that I’ve spoken and written about involves moving away from our overreliance on domains as a key of trade by introducing payee IDs. This entails developing an updated model where in order for an impression to be placed for bid by an exchange, the exchange must disclose not just the domain name connected to it but also the name that will actually show on the seller’s paycheck. The introduction of this simple criterion would address and curtail fraud before, not after, the buy. For example, you could amend a whitelist by listing “The New York Times Company” – the name that would appear on a check – instead of “nytimes.com,” which could be spoofed.
It Takes A Village
Just recently, the 4As and ANA agreed to join the IAB to form a new cross-industry compliance organization to help combat ad fraud, malware and other challenges holding back the industry. Representing different stakeholders across the purchase funnel, these trade groups are coming together to ensure greater transparency around who is getting paid and who is doing the paying. Right now, there are no hoops and no barriers to entry. Some sort of certification program will be inevitable, but what form it takes and how it will manifest has yet to be determined.
Ultimately, we need to think about new industry-wide protocols to prevent fraud, rather than catch it in the act. In the interim, we need to take action to stop getting played. Publishers can identify the exchanges where they are and aren’t selling and police their own identities. Until we see the implementation of new industry-wide protocols, these practices will help ensure media dollars intended for credible publishers rightfully make it there.
This article was originally published on December 17, 2014 on Ad Exchanger as part of “The Sell Sider”, a column written for the sell side of the digital media community.
Andrew Casale
Andrew has been with Index Exchange, and its predecessor Casale Media, since the company was founded in 2001. In his role as President and CEO, Andrew is responsible for overseeing the development and execution of Index Exchange’s new and evolving products, as well as managing the needs of its thriving marketplace across the supply, demand and technology business units within the organization. He is a respected industry thought leader and speaks frequently on the topic of programmatic and exchange traded media.