Anti-fraud tool Ads.txt looks vulnerable in botnet scam revelation
DoubleVerify identified an Ads.txt exploit that could have cost advertisers millions.
Third-party measurement and authentication company DoubleVerify announced Thursday that it identified an exploit in Ads.txt, giving way to concern over the effectiveness of the industry-accepted fraud-fighting tool for programmatic ad buying and selling.
DoubleVerify estimated that had the exploit not been detected, the scammers could have diverted between $70 million and $80 million of advertisers’ spending a year.
Ads.txt, which stands for Authorized Digital Sellers, is a text file that publishers place in their site code, identifying authorized ad sellers to ad buyers. The protocol was introduced by the Interactive Ad Bureau (IAB) Tech Lab in 2017.
DoubleVerify said that spammers spoofed legitimate sites and created a bot network to artificially pump up page views. Then it got around Ads.txt’s verification process by opening accounts with publishers’ approved resellers, which don’t have direct relationships with publishers.
“While Ads.txt is a significant step toward resolving unauthorized reselling and associated fraud, it’s not a complete failsafe,” said Roy Rosenfeld, head of DoubleVerify’s Fraud Lab. “This scheme was specifically designed to take advantage of the industry-wide Ads.txt initiative and commit fraud that would not trigger Ads.txt violations with programmatic buyers.”
Publishers: be vigilant
Though DoubleVerify first identified the scam in late 2018, the news on Thursday rang a warning bell for publishers to be more vigilant in who they partner with, and who they approve to sell ads on their site.
Chris Hallenbeck, director of marketplace quality for ad exchange OpenX, says that the news is “an important reminder that we all — publishers, buyers and technology companies — have a shared responsibility to stomp this bad acting out.”
“Key to mitigating the effects of any new type of fraud, including this one, is cleaning up the industry at large and pushing out companies who refuse to make the requisite investments in quality measures,” Hallenbeck said.
So what can buyers and publishers do? Hallenback says that brands and publishers should only partner with companies that have proven commitment to industry standards.
“To start, buyers should require, through contractual agreements, that exchanges only sell inventory from either a direct relationship with publisher or through a maximum ‘one-hop’ relationship where any network or reseller inventory sold in the exchange must have a direct relationship with the publisher,” Hallenbeck said.
“On the other side, publishers should only add trusted partners to their Ads.txt file and ensure resellers, or ad networks, that they do allow to sell their inventory only offer it through that direct relationship. This is a tactical but important item. It means that publishers must require – by contract – that any network that sells their inventory only sell if via their direct relationship.”
Chris Olson, CEO of The Media Trust agrees.
“It is absolutely crucial for all players along the ad supply chain to know who they’re doing business with, and only do business with players they trust,” Olson said. “For publishers, that means closely and continuously monitoring all the domains and code executing in their digital environment.”
Olson said that publishers can then limit the domains and code to those they have authorized, and block those they haven’t.
“These measures will not only prevent ad fraud, but also shield their digital assets and their users from cyber crooks who commit identity and financial theft, as well as legitimate players who gather consumer data without authorization,” Olson said.
Why you should care
Fraud is an ongoing problem for programmatic advertisers, costing millions of wasted dollars. Though the data varies depending on the source, all estimates show that Ads.txt has been widely adopted by the industry, with nearly all U.S. publishers, according to AdForm, and nearly three-quarters of publishers globally, according to Pixalate, having implemented the file.
Despite issues of brand safety, problems with verification and unreliable viewability metrics, programmatic advertising continues to grow in usage. Though this is the first revelation of an Ads.txt exploit, sophisticated bad actors are always looking for a new angle. In November, a federal court indicted eight individuals for their roles in widespread ad fraud as part of a multi-year investigation of botnets that cost advertisers millions.
The industry continues to offer solutions for authentication and verification. The IAB Tech Lab’s digital signature Ads.cert is meant to work with Ads.txt to close the verification loop by giving buyers a way to ensure the authenticity of a specific site’s inventory, not just the seller. Industry groups such as the Trustworthy Accountability Group (TAG) provide third-party certification and more secure options of programmatic direct buying continue to grow at a faster rate than buying on open exchanges.
“Industry standards like Ads.txt are a critical component for reducing fraud,” says OpenX’s Hallenbeck. “But they need to be adopted widely, used correctly, and supplemented with other best practices to safeguard quality.”