Iframes Leave Us Vulnerable To URL Fraud

dwightringdahlData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Dwight Ringdahl, senior vice president of technology at RhythmOne.  

The digital advertising industry is trying to clean up its act, waging a war against fraud on multiple fronts. Efforts to stop nonhuman traffic and address blocking, prevent injections and ensure viewability have all been debated, discussed and deliberated ad nauseum.

But among all the types of fraud, there is one that is growing fast and hasn’t yet gotten its due: URL masking. Also known as domain spoofing, domain fraud or impression laundering, URL masking occurs when low-quality sites falsify their domain to appear like a legitimate publisher, giving them the ability to draw premium prices for junk inventory.

If bot fraud conceals the “who,” URL masking conceals the “where.” And the “where” matters a lot. It’s the difference between paying for a premium placement on a major publisher and winding up on a gambling or porn site. There are more than dollars at stake: A brand’s reputation hangs in the balance.

This type of fraud is prevalent, too. Some 23% of ads on RTB exchanges wind up on sites with masked URLs, according to DoubleVerify. Ghostery puts that number higher, at 40%.

URL masking has grown this big because it’s easy to do. And it’s easy because it exploits a fundamental weakness in the entire ad ecosystem: the iframe ad format. Reliance on iframes is the No. 1 cause for the prevalence of domain fraud. If we are going to get serious about this problem, we have to address our dependence on the iframe first.

Iframes Make URL Masking Easier For Fraudsters

An iframe is a chunk of code that allows you to create a window on the screen that is agnostic to the web page itself. It can contain anything – an ad, a web page – pretty much anything connected to the Internet can be thrown into an iframe. And what’s more: What appears in the iframe is virtually undetectable to the page it occupies because they don’t talk to each other at all.

That mutual blindness used to be an advantage. A few years ago, it was just about the only clean way to serve an ad across different browsers and ensure that it was delivered intact. But that blindness also means that it’s tremendously difficult to confirm whether iframe ads wound up in their intended location.

In other words, it is the easiest way to mask a URL. It allows publishers and intermediaries to misrepresent the real content of the site to the advertiser and attract higher-premium advertising dollars than would otherwise come their way.

Time To Switch

It’s a wonder, then, that iframes are as prolific as they are. Really. Major ad platforms still offer them as the default format for ads, and that’s just crazy. JavaScript is a viable alternative to iframes, and the industry should make a concerted effort to transition to that format as a default. It’s time for the standard to shift. There are still some places where iframes make sense – as a part of the creative itself, for example – but they should not be the default ad format for major players in the system. Iframes should be opt-in, not the other way around.

Apart from some very specific creative applications, there remains little upside to using iframes as an ad format these days. They made sense for a web where publishers used proprietary APIs and plugins for displaying content. HTML5 has solved that problem, and today iframes mostly present a downside risk.

On the other hand, the advantages to transitioning away from the iframe is clear. Domain fraud is on the rise, and it threatens not only budgets, but the reputations of both brands and legitimate publishers. It’s in everyone’s interest to take steps to stop this practice, and re-examining the iframe is an excellent place to start.

Follow RhythmOne (@RhythmOneUS) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. You guys would know – you wrote the book on all the different types of fraud…

  2. Is this concerned resolved with the advent of SafeFrame iFrames?

  3. Looking for the truth

    It’s a shame no one at blinkx or RhythmOne finds the time to reply to any investors questions and seem to bury their heads in the sand and refused the dialogue even though the company’s share price is collapsing around them, surely it is the time to rally investors to lend support to the company rather than alienating them from the board. By the way Alex everyone was doing what they were doing at the time it’s just that it’s easier to take down a UK based company than one of the American giants which still carry on the same practices unlike this lot now who are probably the cleanest company out there and are turning away business to the detriment of the company if they cannot verify that it is 110% whiter than white traffic to place ads for.

  4. Didn’t the world move away from JS for ads cos it slows down page loads, and can completely kill pages in particularly bad cases?

    Anyway, the idea that domain spoofing is a major problem is only an issue if you’re a buyer trying to stiff Publisher A by picking up cheap arbitraged inventory.. Really you should have the nous to buy direct from the publisher and not from a pointless middleman. Caveat emptor & all that.