The murky market of domain spoofing in the advertising industry

There is a whopping US$56 billion at stake for advertisers in the region.

When was the first time you heard of ad fraud? Back in 2016, it was predicted by the World Federation of Advertisers that ad fraud would become the second-largest market for organised crime. Today, it’s one of the longest-standing issues plaguing the advertising industry. With APAC’s advertising economy slated to surge by 11.2% to US$235 billion in 2022, fraudsters see this as a window of opportunity – and a well-paying one. There is a whopping US$56 billion at stake for advertisers in the region

Amidst the lucrative industry, the most prevalent type of ad fraud yet is domain spoofing, which is estimated to cost advertisers up to US$1million dollars in lost revenue per month. Domain spoofing is not a new tactic by any means, but attackers are finding new ways to manipulate domains in an increasingly complex fraud landscape. Fraudsters use this technique to trick users into interacting with unsafe or malicious websites, and it is also commonly used to trick advertisers into paying for ads shown on spoofed websites, instead of legitimate ones. 

Very recently, a similar situation had occurred in the US, where there was an incident involving inaccurate ad placements over the course of nine months. At first instance, this may sound like a case of domain spoofing, but analysis found that it simply appears to be a misconfiguration that led to a misrepresentation of domains from a single authorized publisher with limited monetary impact. This occurrence shed light on a subset of domain spoofing called domain misrepresentation, that does not mimic the characteristics of malicious domain spoofing we typically see from fraudsters. 

Yet, it calls for attention especially towards the time of discovery in the event. The industry has made significant progress in battling domain spoofing over the last five years, but there is still work to do. Given that Southeast Asia is seeing exponential growth in internet penetration, which also equates to the boom of the advertising economy, fraudsters are standing ready on the horizon. 

This incident serves as a good reminder that as the world is evolving, so are fraudsters. Just as there are various types of ad fraud present in the ad industry, there are as many subsets of domain spoofing. In order for us to combat domain spoofing it is vital for us to be able to identify them from the get-go. Some examples of domain spoofing include URL substitution, cross-domain embedding, and custom browsers:

  1. URL substitution occurs when fraudsters replace or replicate URL’s of legitimate websites in order to trick advertisers into placing an ad on these spoofed websites, instead of legitimate ones. Think about the rise of illegitimate websites we’ve seen during COVID with URLs that are so similar to the credible sites, but with a small difference in the letter or number – this tactic is also used in advertising. 
  2. Cross-domain embedding is another traditional tactic where fraudsters use iFrames – an HTML component that enables developers to host videos and ads in a small window on websites – to spoof websites. By embedding other ads/websites in these frames, it can look like ads are being displayed on legitimate websites when in fact, they are being placed on low quality websites (illegal streaming sites, adult websites etc). 
  3. Custom Browsers are used so that bots deployed by fraudsters can visit any website on the internet, including those that are not reachable via commercial browsing. These bots will then replicate the URL of these websites, making it seem like users are visiting the legitimate sites.

Although there are various types of domain spoofing, most of them are quite easy to spot. Oftentimes, domain spoofing can be visible to anyone upon closer examination. For example, users are able to spot a spoofed website through a URL, which often contains an extra or mismatched character of the original website’s URL. 

However, there are times when spoofing is more complex and does require a third party to help source them out. With proper analytics tools in place, advertisers can check if their traffic is coming from legitimate websites or spoofed domains. For advertisers and publishers in particular, if your ads are placed on lower value sites (pornography, illegal streaming websites etc) even though you’ve paid for it to be advertised on a high value site (news channels, online shopping sites), you’re also a victim of domain spoofing. 

Nonetheless, the domain misrepresentation mishap highlights the huge transparency gap in the world of programmatic ad-buying. With global ad spend surpassing its growth rate in 2021 and reaching a whopping $710 billion, it is predicted by experts that the total cost of ad fraud will increase to US$87 billion in 2022. Advertisers and publishers need to start paying closer attention to where their ads are being placed or they risk losing their ad spend.  

Fraudsters are only going to strengthen in sophistication. Without proper tools in place, advertisers will be stuck in the same cycle of falling prey to fraudsters. Bodies like the IAB tech lab provide the technical specifications for how to implement a clean supply chain with initiatives like ads.txt, sellers.json and the supply chain object. It is imperative that publishers and advertisers leverage these tools today as they help mitigate fraud by making it harder for the bad actors. Engaging with third party vendors who automate fraud detection and incorporating these supply chain safeguards into their decision making, will give them the insights they need to be able to spot if they are victims of domain spoofing. 

Another important point of consideration is that spoofing isn’t just limited to domains. The app-ads.txt protocol was originally built to combat rising fraud in the mobile ecosystem and has since been adopted to also combat fraud in the exponentially growing connected TV (CTV) space. Fraudsters are constantly on the lookout for new platforms they can target and are constantly evolving their techniques and targets. When considering your exposure to domain spoofing, it is important to also consider these new threats.

Fraud is constantly evolving. While with each passing year, fraud schemes have become more complex and have been occurring more frequently, legacy fraud tactics are still a go-to for fraudsters. The only change is that fraudsters are now becoming more creative in finding ways to circumvent fraud mitigation strategies. Businesses will need to keep pace and evolve as the business landscape does, and be mindful to mitigate all types of risks – even the more traditional ones.