Security Researchers Find New Loophole in IAB’s Ad Fraud Prevention Framework

The new technique takes advantage of in-app advertising systems.

Domain spoofers have found new ways to get around ads.txt Getty Images
Headshot of Patrick Kulp

Thousands of apps are masquerading as premium publishers in order to bypass new industry-wide protections against ad fraud, according to new data.

Researchers at fraud detection firm Forensiq recently uncovered a scam in which apps sell ad inventory under the guise of major media websites in a bid to fool the Interactive Advertising Bureau’s (IAB’s) Ads.txt authorization system, an anti-fraud measure designed to prevent this type of deception. Bad actors then take advantage of the higher prices these outlets command by loading rapid-fire ads and faking impressions.

First introduced last summer, Ads.txt is a standardized text file that publishers and programmatic platforms use to verify which companies are authorized to sell which publishers’ inventory. The increased transparency is supposed to reduce the scourge of domain spoofing—the passing off of fake or low-quality impressions as those of a pricier established brand—which is estimated to cost top publishers $1.3 billion per year.

The IAB has long known that Ads.txt has a blindspot when it comes to in-app advertising, and the trade group recently offered a few possible proposals to expand the system to the app world. But the solutions focus on preventing apps from spoofing so-called bundle IDs—the app equivalent of a domain name—rather than apps impersonating websites, according to Forensiq. The latter should ostensibly be preventable under the current Ads.txt framework.

Amit Joshi, Forensiq’s director of product and data science, said fraudsters in the app world are able to circumvent the system by choosing their targets from the Ads.txt list of publishers each seller is allowed to trade. The in-app space is much less widely understood by marketers and more opaque by nature.

“The smart thing about this is that there’s a lot less verification in the in-app space because it’s fairly new,” Joshi said. “There’s a lot less transparency. For somebody to detect that this is happening, it’s harder because it’s in-app traffic so you have to use in-app detection versus on a website where verification and domain spoofing protection is fairly mature.”

In one instance, more than 1,400 apps were found to have loaded ads under TV Guide’s domain name, according to data from Forensiq. Most were gaming or utility apps, but the list also included brand-jeopardizing placements around pirated media and adult content, the company said.

A TV Guide spokesperson declined to comment. Forensiq could not provide the names of any other publishers targeted, but domain spoofers generally tend to prey on big-name news organizations that charge higher ad prices, like The New York Times or The Washington Post, both of which use Ads.txt.

The New York Times' Ads.txt file.

“It’s really premium publishers as a group that are more vulnerable to this because the fraudsters typically are just following the money,” Joshi said. “We’ve seen a lot of major broadcasting sites, for example, a lot of news sites.”

These fraudulent transactions not only cost advertisers, which foot the bill for fake impressions in undesirable environments, but also publishers, which lose out on impressions and see ad prices drop due to the artificial inflation in supply.

While this particular form of fraud has gone more or less undocumented until now, it’s only a slight iteration on much more widespread and preventable counterfeit scams, Joshi said. The technique is a combination of classic domain spoofing and its in-app equivalent, bundle ID spoofing. In this case, however, apps mask their identifiers behind a mobile website instead of another app. Joshi said he’d long believed this fraud was happening but didn’t have any hard evidence until this month.

“It’s an evolution of fraud, a way to generate activity on an app, and then monetize it as mobile web, while fooling the industry Ads.txt standards,” Joshi said.

Of the 3.1 billion impressions Forensiq measured, roughly a third were misreported or spoofed, and about 36 percent of those—or 360 million—made use of the bypassing technique.

Dennis Buchheim, general manager and senior vice president of the IAB’s tech lab, said he’d never heard of this particular type of fraud, but acknowledged that the framework still has holes in its protections.

“I’m certainly not surprised,” Buchheim said. “We’re in this interim stage now where people are trying to throw together whatever solution they can for now. That’s sort of a tough spot to be on. We’ve certainly been aware of it, and it’s a gap we’d like to close pretty quickly.”

Despite loopholes like these, Joshi said Ads.txt is a step in the right direction overall in the battle against ad fraud, and it has significantly reduced rates of domain spoofing on the web. But it’s also made less powerful by a lack of universal adoption among publishers and ad tech payers, he said. If implemented correctly across all players in the ad tech supply chain, it would help reduce this new form of spoofing.

In-app fraud in general remains a big problem in the space, with nearly a quarter of all pre-bid app traffic estimated to be fraudulent, according to Forensiq’s most recent measurements. Joshi said the rate, gauged over a two-week period in April, is on the conservative side, and may be much higher in reality.

@patrickkulp Patrick Kulp is an emerging tech reporter at Adweek.