New Research:

How to Know If Your Instream Video Buy Is Really Instream Learn More

Domain Spoofing

By Madeleine Bullett

Skip to main content

Domain Spoofing

Updated

Definition & Explanation

Domain spoofing is a form of ad fraud in which the domain reported in a bid request is falsified, so that low-value or fraudulent inventory appears to be coming from a premium publisher. A buyer believes they are bidding on an impression from a well-known news site or a major brand’s property. The ad runs somewhere else, or on nothing at all, and the gap between the premium price paid and the worthless inventory delivered goes to the fraudster.

The mechanism sits inside the auction itself. In an OpenRTB request, a site or app object identifies where the impression will appear, including the domain, and DSPs price their bids largely on that identity. Spoofing substitutes a high-value domain into that field. Because the buy side trusts the declared domain, it bids at premium rates for inventory worth a fraction of the price.

It is typically carried out in one of a few ways:

  • URL substitution: the real, low-value domain is swapped for a premium one at bid time, usually by a compromised or complicit exchange, network, or reseller in the path.
  • Counterfeit sites: bots load ads on skeleton pages built to impersonate a real publisher, so the inventory carries the premium domain’s name from end to end. This was the core of the Methbot and 3ve operations.
  • Cross-domain embedding: a real premium page is loaded in a hidden frame on a low-quality site, so the ad call inherits the premium domain even though no human ever sees the page.

Why It Matters

The sharpest cost is that advertisers pay premium prices for inventory they can never actually reach, and the spend converts directly into fraud with no audience and no recourse. Worse, the campaign reports back as if nothing is wrong. Impressions register, and in many schemes so do clicks, so the fraud passes through standard reporting without tripping an obvious alarm.

It also corrupts the data buyers use to optimize. When spend flows to a counterfeit version of a premium site, every performance figure attributed to that domain is meaningless, and the buyer keeps funding the placement because the numbers look fine. Optimization toward fraudulent inventory is a real and recurring failure mode.

The spoofed publisher absorbs the third hit. A legitimate site sees its name attached to inventory it never sold, watches its effective CPMs erode as counterfeit supply floods the market under its brand, and has its reputation tied to environments it does not control.

The scale of the problem is well documented through its landmark cases. Methbot, uncovered in 2016, generated an estimated $3 million to $5 million a day by impersonating more than 6,000 premium domains and running bots that watched roughly 300 million video ads daily (4). Its successor, 3ve, infected about 1.7 million computers, counterfeited around 10,000 domains, and produced more than 3 billion fraudulent bid requests a day at its peak before a coordinated FBI and industry takedown in 2018 (3). The DOJ indictment tied to the two schemes alleged losses exceeding $35 million (4). The Financial Times offered a cleaner illustration of how invisible spoofing is to the spoofed party: when it audited its own footprint in 2017, it found its domain being sold across 10 display exchanges and 15 video exchanges, despite the fact that the FT did not sell video programmatically at all (5).

Domain Spoofing Across the Ecosystem

The industry response has been a layered set of IAB Tech Lab standards, each closing a different gap in the supply chain.

ads.txt, introduced in 2017, lets publishers publicly list the sellers authorized to sell their inventory. A buyer can reject a bid claiming to carry a publisher’s inventory if the named seller does not appear in that publisher’s ads.txt file. IAB Tech Lab built the standard specifically to reduce misrepresentation, the technical term for domain spoofing. app-ads.txt extended the same approach to mobile apps and connected TV in 2019 (1).

sellers.json, finalized in April 2019, is the mirror image. Published by exchanges and SSPs, it declares every seller and reseller a platform represents and the IDs that identify them, so a buyer can confirm that the entity named in a bid request is a known and disclosed seller (2).

The OpenRTB SupplyChain Object, passed as schain in the bid request, records every node an impression travelled through before reaching the auction. It lets a buyer verify the full path rather than only the final seller.

Used together, these standards let a DSP confirm that the seller in a bid request is authorized by the publisher, is a disclosed entity, and sits inside a complete, declared chain. When all three align, a spoofed domain has far fewer places to hide. Adoption is now near-universal among premium publishers and uneven across the long tail, which is where most spoofing risk concentrates.

Domain Spoofing in DeepSee.io Metrics

We surface domain spoofing as two flags on every domain we evaluate: spoofer and spoofed. The spoofer flag marks a domain acting as the perpetrator, claiming inventory or identity that belongs to another publisher. The spoofed flag marks the victim, a domain whose identity or inventory is being impersonated by other sites. A domain can carry both when it sits on each side of different spoofing relationships.

We set these flags by comparing a site’s declared ads.txt and sellers.json authorization against what we observe its inventory actually doing, so a buyer can see at a glance whether a domain is impersonating others, being impersonated, or both before committing spend. The structural ads.txt and sellers.json checks behind them are covered in our ads.txt methodology.

Spoofing is rare. Only a small fraction of the domains we track trip either flag, which makes them a high-signal indicator when they do appear.

Sources

  1. IAB Tech Lab, About ads.txt and app-ads.txt
  2. IAB Tech Lab, sellers.json and OpenRTB SupplyChain Object specifications
  3. Google and White Ops (HUMAN Security), The Hunt for 3ve, 2018
  4. U.S. Department of Justice, indictment in the 3ve and Methbot ad fraud schemes, 2018
  5. Financial Times domain spoofing audit, WSJ, 2017