Ads.txt files were supposed to help the ad industry stamp out fraud but instead, they’re increasingly a conduit for it.
The tool was launched three years ago by the IAB’s Tech Lab as a way for publishers to list all of the companies that are authorized to sell their ads. Essentially, the text file shows when an advertiser buys ads either directly from a publisher or an approved ad tech vendor as well as highlight those sites that do not use an ads.txt file or if inventory is being sold without a publisher’s approval.
In theory, ads.txt files help advertisers avoid illegitimate sellers who arbitrage inventory and spoof domains. The reality, however, is the files are also fertile ground for fraudsters. Since the ads.txt tool launched, fraudsters have exploited the fact that buyers don’t always check the lists with bots that generate fake browser data and create fabricated URLs in order to pilfer media spend. The latest example of this type of fraud is called the 404bot.
The 404bot is essentially domain spoofing, which is when fraudsters impersonate a publisher’s webpage. But with the 404bot, there is no inventory. Instead, there’s a 404 error page in place of the webpage spoofed. The inventory appears like a legitimate buy from an authorized seller when in fact there’s nothing.
Since the 404bot was first noticed by Integral Ad Science in 2018, it has pilfered more than $15 million in ad spend from 1.5 billion video ads sold by large and small publishers across the U.K., the U..S, Canada and Australia. It may not sound like much given the average individual fraudster makes between $5 million and $20 million dollars a year, but the implications of the 404bot go beyond headline figures.
The existence of the 404bot is symptomatic of how ads.txt lists are being used as a plaster to ward off the symptoms of fraud rather than to help heal the cause of it.
Publishers list ad tech vendors in their ads.txt files even when they no longer work with them because they want to avoid showing ad buyers that they rely on unauthorized resellers to drive demand for their inventory. Plus, the more authorized sellers a publisher has, the more money they can potentially generate. Advertisers, on the other hand, either don’t have the internal expertise to push publishers to audit their ads.txt lists or won’t because doing so could theoretically reduce the scale of buys they could make.
Meanwhile, ads.txt files continue to get longer and subsequently become easier places for fraudsters to hide. The longer the ads.txt list, the harder it is to audit for unauthorized sellers.
“I’ve seen ads.txt lists that have more than a thousand ad tech vendors on them,” said one media executive.
Indeed, the only link between all publishers that were impersonated by the bot was that they all had long lists of ad tech vendors in their ad.txts files, according to IAS. In fact, when the ad verification firm worked with publishers to vet the exchanges selling their impressions, instances of the 404bot “weren’t as rife,” said Victoria Chappell, vp of marketing for IAS across EMEA and APAC.
“We cannot provide a specific number to define a large number of resellers, but this discovery brings the question, are publishers vetting their resellers? If they are not, it will defeat the core purpose of ads.txt’s existence,” said Chappell.
The 404bot isn’t the first time ads.txt files have been hijacked by fraudsters. Bad actors have tried to worm their way on to publisher’s ads.txt files since the tool launched in 2017.
“These types of fraud are successful because they prey on the fact that companies selling and buying media aren’t set up properly to audit what’s being traded,” said Dan Larden, managing partner of product and partnerships at programmatic agency Infectious Media. “Programmatic advertisers need to be pushing ad tech vendors for more log-level data so that they can see where the wastage is on the media that’s being bought.”
Member ExclusiveDigiday+ Research: Instagram wins over Facebook for role in brands’ holiday marketing
Brands differ on how they use each marketing channel during the holidays -- even when it comes to sibling social media platforms Facebook and Instagram, Digiday+ Research found.
How — and why — Candy Crush is in the midst of a 10th anniversary brand refresh
In the years since Activision Blizzard acquired the Swedish game studio King in 2016, employees at the gaming giant have started to internally refer to their company as “ABK” — that is, Activision Blizzard King. But the corporation’s recent financial reports indicate that “KAB” might be a more accurate abbreviation.
Independent agency Goat invests in influencer strategy for clients as it expands in the U.S.
Everyone is after influencers to up their marketing game. But the secret to success, Goat contends, is in viewing influencers as performance media and using data to deliver clients guaranteed outcomes.
SponsoredHow brands are measuring incremental performance on CTV
Connected TV is unique among other advertising channels because it combines linear television’s storytelling capabilities with digital marketing’s targeting and measurement. As more marketers leverage CTV advertisements to reach relevant and engaged audiences, they also want to understand the real value they are generating with their investment. Incrementality reporting and measurement allow advertisers to measure […]
Marketers bring Web3 to the FIFA World Cup with augmented reality, NFTs and virtual worlds
The month-long tournament, which begins this weekend, will be the first World Cup since it took place in Russia in 2018 long before “Web3” entered the global lexicon. Now, official and non-official sponsors are hoping to harness the hype with a range of NFTs, virtual worlds, augmented reality tools and other trendy tech.
U-Haul diversifies its social strategy to tell people it’s more than moving trucks
In recent years, U-Haul's in-house agency has been working to "better leverage social media for brand loyalty."