Domain ( or URL) spoofing has been a thorn in the side of the programmatic advertising industry for years now and the common narrative usually describes it as fraudsters trying to capitalize on the domains of big-name premium publishers. However, it should be noted that domain masking reaches beyond the top echelon of high-traffic sites and the damage it causes doesn’t stop at a few lost impressions.
In the context presented here, domain spoofing is when a publisher declares in the real-time bidding (RTB) ad request that an ad will run on a specific domain, but the ad actually appears on a different, less-desirable one. It’s a separate issue from typical ad fraud, which deals with fake traffic, because the end user that sees the ad may be real, but he or she is seeing the ad on a different site than the one the advertiser intended.
Often, domain spoofing is used by sites that have been, or would quickly be, blacklisted by buyers because of their content (e.g., sites with malware, spyware, viruses, phishing schemes and pirated materials). So the creators of offending websites try to capitalize on the integrity of reputable domains by forging their name in the RTB bid.
At Fraudlogix we routinely see sites that rotate through domain names trying to monetize. One site, which specialized in pirated cartoons, used 38 different domain names in RTB auctions over a period of a few days, including “accuweather.com” and the domain of a small local newspaper from Central Pennsylvania. Another site hawking pirated movies used more than 80 different domain names in a few days. From “allmovies.com” to “zillow.com”, they targeted an entire spectrum of publishers. No legitimate publisher is safe from domain masking. This type of fraud affects everyone in the digital ad tech chain. The most obvious - and often talked about - is the advertisers, who are wasting ad spend on less desirable sites as well as the brand safety issues involved - they could be unintentionally funding websites with illegal and unscrupulous content.
But the publishers whose domain names are being used are also losing out here. Not just from the revenue lost from impressions going to another publisher, but their reputations may be damaged moving forward. Think of it like identity fraud - the publisher whose domain name is being spoofed is essentially taking the rap for the brand safety issues and abysmal conversion rates of the fraudulent sites using its name. Buyers not diving deep enough into RTB data may inadvertently block high-quality publishers because their domains have been flagged for brand safety or illegal content. The publisher’s reputation, or “credit-score” has now been damaged because of domain masking and its revenue will also suffer. As buyers ramp up brand safety monitoring, especially in the wake of the Google/YouTube controversy, they should keep domain masking in mind. Monitoring the two simultaneously will guard against blocking the wrong sources of sketchy ad placements.
Here are three low-tech ways to spot domain spoofing:
- Domain traffic quality across sellers doesn’t measure up. If a domain’s traffic bought through one exchange is consistently flagged for quality issues (e.g., low viewability, brand safety, etc.) while the traffic for the same domain bought through a different exchange doesn't get flagged, there’s a chance domain spoofing is occurring.
- The CPM is too good to be true. If the going rate for a site is normally $5 CPM but suddenly impressions are available for $1 CPM, be very wary.
- Domains with no ads or whose publishers don’t sell ad space in RTB auctions. Look at who the publisher is. Fraudsters aren’t always so sophisticated, and will try to spoof any domain, especially well-known ones, regardless of that publisher’s advertising strategies (of lack thereof).
Domain spoofing harms the programmatic ecosystem in lost revenue and damaged reputations as legitimate domains, large and small are being used to front the sale of ads to fund illicit websites. The industry should take a closer look at their analytics and be sure they’re blacklisting the correct sources of low-quality placements and poorly performing traffic.