Integral Ad Science has uncovered a bot scheme that has spoofed a range of high-profile publishers, and stolen at least US$15 million of advertisers' money, by taking advantage of vulnerabilities in the industry's Ads.txt standard.
The botnet has been siphoning away brand money since 2018 and is showing "no clear signs of it being shut down", so IAS is making its discoveries public in order to trigger industry action.
The botnet involves a practice known as domain spoofing, in which a network of infected devices is used to generate billions of ad calls to fake URLs masquerading as legitimate publishers. Since many of the fake URLs do not actually exist, the fraud scheme has been dubbed 404bot, based on the 404 error message displayed when an internet page is not found.
While the fraud scheme bears multiple similarities with other domain-spoofing operations such as 3ve and Hyphbot, 404bot appears to be the first significant bot scheme targeting Ads.txt files, spotlighting cracks in the initiative.
The spoofing scheme has so far affected a range of high and low-profile publishers across the globe, although IAS would not share specifics "in order to avoid causing any additional harm to the brands of the abused publishers."
IAS has notified law enforcement agencies of the 404bot scheme and will be "actively supporting in all their efforts to take down this and other ad fraud schemes."
The botnet's origin
As is the case with most botnets, 404bot has been gradually building its network over a number of years, with peaks and troughs in activity making its impact difficult to determine.
The IAS Threat Lab first spotted a rise in domain spoofing activity in 2018, which it hypothesised was likely generated by a single botnet. In September 2018, the botnet activity spiked and remained very high through to the beginning of November 2018, when the activity abruptly dropped. Around the same time, another botnet, 3ve, was taken down by a global consortium of tech platforms, security companies and international law-enforcement agencies, led by cybersecurity and ad verification firm White Ops. Campaign interviewed the head of the operation last year.
IAS first assumed the two were related, but the timing of 3ve's takedown did not line up with the drop in activity of the botnet it was monitoring. After about five months of low activity, the 404bot traffic spiked again in the middle of April 2019, and then dropped in September 2019.
"We can only hypothesise the true reason for this subsequent drop in activity of the botnet, but based on previous observation, we know that 404bot activity could spike again at any time," IAS explains in its white paper.
Conservative estimates suggest that during 404bot's recent period of high activity between April and September 2019, the scheme affected over 600 million ads. Overall, IAS estimates that since it was discovered in 2018, it has affected more than 1.5 billion ads, most of which were video. Assuming video ad prices are in a single-digit dollar CPM, this means a payout to fraudsters of at least $15 million.
The $15 million impact on ad spend so far is a conservative estimate: IAS has said the true impact is "likely much larger".
How it works
The 404bot is able to siphon away ad spend by falsifying inventory and audiences. Domain spoofing allows it to slip URLs that often don't exist into approved domain lists. To evade detection, often the fake URLs are a concatenation of two existing domains. This makes it harder to recognise as a fake URL, which was one of HyphBot’s vulnerabilities.
Now the spoof domains are receiving ad calls, the challenge is now falsifying an audience to 'watch' the video ads. To do this, the 404bot network takes advantage of a Bunitu Trojan. The Trojan infects internet users with a malware that allows remote clients to connect to their devices. Once connected, the remote client, in this case the fraudster, can use the infected IP addresses to generate fraudulent ad calls that appear to come from legitimate sources.
Domain spoofing is one of the most common forms of ad fraud, since it doesn't require huge skill or investment to pull off, although it is becoming more sophisticated. It takes advantage of the fact that many optimisation solutions rely on URL exclusion lists.
The scale of this type of ad fraud inspired the creation of the IAB Tech Lab's Authorized Digital Sellers initiative—known as Ads.txt. Hailed as a breakthrough solution in the industry's fight against ad fraud, Ads.txt is a relatively simple text file publishers place on their site to publicly lists vendors they have authorised to sell their inventory, while adtech companies can also declare their authorised resellers. Since its 2017 launch, the initiative has seen widespread adoption globally, including by 60% of US top-tier publishers.
Now it would appear fraudsters have played IAB at its own game. The public nature of the solution—where anyone on the internet can see a domain's approved sellers list—means fraudsters have been able to figure out workarounds.
"Despite widespread adoption [of Ads.txt] our data suggests that domain spoofing still exists and is still
quite prevalent," IAS said in its white paper.
It's why ad verification partners like IAS are rarely minded to make their findings public.
"In order to reduce unnecessary panic in the ecosystem, IAS refrains from releasing details for every scheme we uncover," the company said. "But with 404bot, we felt differently; the botnet has been too active for too long with no clear signs of it being shut down. We decided to make our collected botnet knowledge public in order to allow other players in the ad-tech ecosystem the opportunity to clean up their inventories."
Shortcomings of Ads.txt
Fraudsters are gaming Ads.txt files by targeting publishers that have an "extremely large" list of authorised resellers on their Ads.txt file. The longer the list, the easier it is to slip through the cracks.
"This discovery left us wondering if publishers were not properly vetting resellers, or if they were simply using Ads.txt on their websites as a formality. The former, if true, defeats the core purpose of Ads.txt’s existence," said Evgeny Shmelkov, head of the IAS Threat Lab. “We are learning from this bot that it is crucial to continuously audit and update Ads.txt files.”
A range of ad fraud experts flagged the "imperfect" nature of Ads.txt to Campaign Asia-Pacific last year. At the time, White Ops cofounder and CEO Tamer Hassan said Ads.txt "can’t weed out professional cybercrime" and has "almost certainly" been gamed. For example, while Ads.txt filtered out the majority of fraudulent 3ve traffic, 20% was still noted as 'authorised'.
Ads.cert, which will use cryptographically stamped bid signatures to determine whether an impression belongs to the correct website, will add a more comprehensive line of defense, Hassan noted, but is still a few years away.