IAS Issues Threat Alert Regarding The Latest Digital Ad fraud Scheme

The industry’s key weapon against ad fraud has been compromised, allowing fraudsters to pilfer media spend. Ad. txt files were ideally launched three years ago by the IAB’s Tech Lab to help the ad industry combat ad fraud but instead has become a conduit for it. 

It is an initiative to improve transparency in programmatic advertising. The tool was introduced by IAB for publishers and distributors to list all companies that are authorized to sell ads. Essentially, it will also show when an advertiser buys ads directly from the publishers or authorized ad tech vendors and also highlight those sites that do not use an ads.txt file.

However, in reality, since the ad.txt tool launched, fraudsters have exploited the opportunity where the buyers do not check the lists with bots that generate fake browser data and create fabricated URLs in order to steal advertiser’s media spend. 404bot is the perfect example of this type of fraud.

This botnet involves a practice called domain spoofing, where the fraudster impersonates the publisher’s webpage. However, the 404bot holds no inventory. Domain spoofing allows slipping nonexisting URL into approved domain lists. To avoid any detection, the fake URL is a combination of two existing URLs. 

Now spoof domains are receiving ad calls, the challenge is to deceive the audience to ‘ watch’  the video ads. For this, 404 takes advantage of a Bunitu Trojan. The Trojan infects internet users with malware that allows fraudsters to connect to their devices. Once connected, the fraudster can use the infected ID to generate ad calls that appear from legitimate sources. The whole process of buying ads from the seller and inventory appears to be legitimate while there is nothing in reality.

Integral Ad Science(IAS) has uncovered the bot scheme that has affected many high and low publishers which have one thing in common: large ads txt list and has stolen at least US$15 million of advertiser’s money- a number that continues to grow. 

The fraud scheme is similar to 3ve and Hyphbot, the main signature of the 404bot is extensive domain-spoofing, where URL is fabricated at browser level which means the data from the browsers is fake. 404bot has been building networks gradually over the years ensuring that they are not easily detectable to the human eye.

Botnet’s Origin:

The IAS Threat Lab first spotted a rise in domain spoofing activity in 2018. Evgeny Shmelkov, head of the IAS Threat Lab said,

“We detect bots and protect our customers from their effects every day. The 404bot has been active since 2018 and its unchecked growth now warrants industry action.”

In September 2018, the botnet activity increased and remained high till the start of November 2018, when it abruptly dropped. However, around the same time another botnet, 3ve was taken down by cybersecurity and ad verification firm White Ops. IAS assumed both events were related, but the timing of 3ve takedown didn’t match with the drop in activity of the botnet it was monitoring. After 5 months of low activity, 404bot traffic increased again in mid-April, 2019 and then dropped in September 2019.

                                                                                                                        

In its white paper, IAS explains,

“We can only hypothesise the true reason for this subsequent drop in activity of the botnet, but based on/ previous observation, we know that 404bot activity could spike again at any time.”

Conservative estimates suggest that 404bot’s activity between April 2019 to September 2019 affected over 600 million ads. It has affected over 1.5 billion video ads across the U.K, the U.S.A, Canada, and Australia. Assuming video ads price in a single-digit dollar, an average individual fraudster makes at least $15 million a year.

Drawbacks of Ads.Text files

The 404bot capitalizes on unaudited ads.text files and its vulnerabilities. Meanwhile, ads.txt files continue to be longer and become an easier place for fraudsters to hide. The longer the ads.txt list, the harder to audit for unauthorized sellers. According to IAS, the only link between all publishers that were impersonated by the bot was that they all had long lists of ad tech vendors in their ad.txts files. Evgeny Shmelkov said,

“This discovery left us wondering if publishers were not properly vetting resellers, or if they were simply using Ads.txt on their websites as a formality. The former, if true, defeats the core purpose of Ads.txt’s existence.” 

“We are learning from this bot that it is crucial to continuously audit and update Ads.txt files.”

The IAS threat lab detects bots regularly and to reduce unnecessary panic, it refrains to divulge details from every discovery. However, due to no sign of 404bot shutting down, IAS is sharing details to help other players in the ad-tech ecosystem to clean up the inventory. They are closely working with publishers and IAB Tech Lab to improve the ads.txt model to limit frauds like 404bot. 

Meanwhile, Dan Larden, managing partner of product and partnerships at programmatic agency Infectious Media said, companies buying and selling media aren’t set up properly to audit any trade. He further added,

“Programmatic advertisers need to be pushing ad tech vendors for more log-level data so that they can see where the wastage is on the media that’s being bought.”