“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Dwight Ringdahl, senior vice president of technology at RhythmOne.
The digital advertising industry is trying to clean up its act, waging a war against fraud on multiple fronts. Efforts to stop nonhuman traffic and address blocking, prevent injections and ensure viewability have all been debated, discussed and deliberated ad nauseum.
But among all the types of fraud, there is one that is growing fast and hasn’t yet gotten its due: URL masking. Also known as domain spoofing, domain fraud or impression laundering, URL masking occurs when low-quality sites falsify their domain to appear like a legitimate publisher, giving them the ability to draw premium prices for junk inventory.
If bot fraud conceals the “who,” URL masking conceals the “where.” And the “where” matters a lot. It’s the difference between paying for a premium placement on a major publisher and winding up on a gambling or porn site. There are more than dollars at stake: A brand’s reputation hangs in the balance.
This type of fraud is prevalent, too. Some 23% of ads on RTB exchanges wind up on sites with masked URLs, according to DoubleVerify. Ghostery puts that number higher, at 40%.
URL masking has grown this big because it’s easy to do. And it’s easy because it exploits a fundamental weakness in the entire ad ecosystem: the iframe ad format. Reliance on iframes is the No. 1 cause for the prevalence of domain fraud. If we are going to get serious about this problem, we have to address our dependence on the iframe first.
Iframes Make URL Masking Easier For Fraudsters
An iframe is a chunk of code that allows you to create a window on the screen that is agnostic to the web page itself. It can contain anything – an ad, a web page – pretty much anything connected to the Internet can be thrown into an iframe. And what’s more: What appears in the iframe is virtually undetectable to the page it occupies because they don’t talk to each other at all.
That mutual blindness used to be an advantage. A few years ago, it was just about the only clean way to serve an ad across different browsers and ensure that it was delivered intact. But that blindness also means that it’s tremendously difficult to confirm whether iframe ads wound up in their intended location.
In other words, it is the easiest way to mask a URL. It allows publishers and intermediaries to misrepresent the real content of the site to the advertiser and attract higher-premium advertising dollars than would otherwise come their way.
Time To Switch
It’s a wonder, then, that iframes are as prolific as they are. Really. Major ad platforms still offer them as the default format for ads, and that’s just crazy. JavaScript is a viable alternative to iframes, and the industry should make a concerted effort to transition to that format as a default. It’s time for the standard to shift. There are still some places where iframes make sense – as a part of the creative itself, for example – but they should not be the default ad format for major players in the system. Iframes should be opt-in, not the other way around.
Apart from some very specific creative applications, there remains little upside to using iframes as an ad format these days. They made sense for a web where publishers used proprietary APIs and plugins for displaying content. HTML5 has solved that problem, and today iframes mostly present a downside risk.
On the other hand, the advantages to transitioning away from the iframe is clear. Domain fraud is on the rise, and it threatens not only budgets, but the reputations of both brands and legitimate publishers. It’s in everyone’s interest to take steps to stop this practice, and re-examining the iframe is an excellent place to start.
Follow RhythmOne (@RhythmOneUS) and AdExchanger (@adexchanger) on Twitter.
