Home Online Advertising By Sneaking Into Ads.txt Files, The 404bot Cost Advertisers $15 Million
Online Advertising

By Sneaking Into Ads.txt Files, The 404bot Cost Advertisers $15 Million

By

SHARE:

For two years, the 404bot worked unchecked, exploiting a flaw in the ads.txt spec that cost advertisers $15 million in wasted video ads.

The 404bot served 1.5 billion video ads, according to Integral Ad Science, which revealed the scheme Tuesday with a warning for the industry, including for publishers to audit their ads.txt files.

Ads.txt was designed to stop domain spoofing by allowing publishers to list all direct partners and resellers. Advertisers can confirm they are buying inventory from sellers with legitimate access to a publisher’s inventory.

But if publishers add an untrustworthy partner, they can abuse their position as an ads.txt-verified path and spoof the publisher’s inventory.

The few hundred domains where Integral Ad Science found ads.txt files linked to the 404bot all had something in common, said Evgeny Shmelkov, head of the IAS Threat Lab. “Their ads.txt files were huge,” he said. “There were lots of parties freely trusted.”

Once the 404bot was added to a publisher’s ads.txt list, it sold legitimate ads from the publisher and ads at other sites spoofed to look like they came from the publisher’s domain. Since the partner was listed as an approved path to a publisher’s inventory, advertisers had no easy way to determine that the domain was spoofed.

As the name suggests, the 404bot relied on fake URLs. The bot would also create an article page name that didn’t exist on the publisher’s site but existed legitimately elsewhere, such as a story about the week’s highest-grossing movie.

Although some domain spoofing simply puts lipstick on a pig – repackaging human traffic to dating, porn or non-brand safe content sites as higher-value URLs – the 404bot showed the ads to bots, not humans. So publishers’ inventory was not only spoofed and devalued, but their invalid traffic rates would appear higher.

IAS notified the publishers affected by 404bot, Shmelkov said.

Publishers should audit their ads.txt files using best practices outlined by the IAB Tech Lab, he added. By closely monitoring their ads.txt files, they can avoid letting partners onto their sites that could misrepresent their inventory.

And DSPs can track fake URLs in their inventory to root out potential domain spoofing, in addition to buying only from ads.txt-compliant paths to supply.

Must Read

Comic: Gamechanger (Google lost the DOJ's search antitrust case)
Google antitrust

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.

Platforms

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.

antitrust

DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

Court is back in session. And the fate of  the open internet is in the balance.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Chris Mufarrige, director, Bureau of Consumer Protection, FTC
Data Privacy Roundup

FTC Consumer Protection Chief: No Easy Answers On Privacy, ‘Only Trade-Offs’

Privacy isn’t black-and-white, says the FTC’s Chris Mufarrige, promising evidence-driven consumer protection cases under the Trump administration.

Publishers

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.

Digital Out-Of-Home

Clear Channel Brings Mid-Flight Measurement To Its OOH Network

Clear Channel will provide advertisers weekly, mid-flight reports on outcomes driven by its inventory in order to bring OOH measurement closer to the speed of digital.

Popular

  1. Comic: "Deal ID, please."
    Commerce

    Amazon Expands Its Programmatic Integration With SiriusXM

    On Tuesday, Amazon DSP announced an expanded integration with satellite radio company SiriusXM.

  2. Daily News Roundup

    Artificial Intelligence Goes To Washington; Perplexity Learns That Sharing Is Caring

    Sillicon valley bigwigs are getting into SuperPACS; turns out, shaming AI companies sorta works; and UK publishers are going “consent or pay.”

  3. AdExchanger Content Studio

    Stop Paying For The Same Eyeballs Twice: How Smarter CTV Planning Unlocks True Reach

    Marketers are pouring billions into CTV – but without the right tools, duplication, fragmentation and murky measurement can drain ROI.

  4. Comic: The New Netflix And Chill
    OPINION: The Sell Sider

    Introducing Advertising Logistics – A New Approach For A More Observable Programmatic Ecosystem

    As technology and industry self-regulation converge to make supply and demand path optimization more seamless and efficient, we need a better name to describe optimization across the advertising ecosystem, writes Stephen Johnston, CTO of PubWise. “I’d like to submit for your consideration a new term: advertising logistics.”

  5. Platforms

    Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

    Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.