Home Online Advertising By Sneaking Into Ads.txt Files, The 404bot Cost Advertisers $15 Million
Online Advertising

By Sneaking Into Ads.txt Files, The 404bot Cost Advertisers $15 Million

By

SHARE:

For two years, the 404bot worked unchecked, exploiting a flaw in the ads.txt spec that cost advertisers $15 million in wasted video ads.

The 404bot served 1.5 billion video ads, according to Integral Ad Science, which revealed the scheme Tuesday with a warning for the industry, including for publishers to audit their ads.txt files.

Ads.txt was designed to stop domain spoofing by allowing publishers to list all direct partners and resellers. Advertisers can confirm they are buying inventory from sellers with legitimate access to a publisher’s inventory.

But if publishers add an untrustworthy partner, they can abuse their position as an ads.txt-verified path and spoof the publisher’s inventory.

The few hundred domains where Integral Ad Science found ads.txt files linked to the 404bot all had something in common, said Evgeny Shmelkov, head of the IAS Threat Lab. “Their ads.txt files were huge,” he said. “There were lots of parties freely trusted.”

Once the 404bot was added to a publisher’s ads.txt list, it sold legitimate ads from the publisher and ads at other sites spoofed to look like they came from the publisher’s domain. Since the partner was listed as an approved path to a publisher’s inventory, advertisers had no easy way to determine that the domain was spoofed.

As the name suggests, the 404bot relied on fake URLs. The bot would also create an article page name that didn’t exist on the publisher’s site but existed legitimately elsewhere, such as a story about the week’s highest-grossing movie.

Although some domain spoofing simply puts lipstick on a pig – repackaging human traffic to dating, porn or non-brand safe content sites as higher-value URLs – the 404bot showed the ads to bots, not humans. So publishers’ inventory was not only spoofed and devalued, but their invalid traffic rates would appear higher.

IAS notified the publishers affected by 404bot, Shmelkov said.

Publishers should audit their ads.txt files using best practices outlined by the IAB Tech Lab, he added. By closely monitoring their ads.txt files, they can avoid letting partners onto their sites that could misrepresent their inventory.

And DSPs can track fake URLs in their inventory to root out potential domain spoofing, in addition to buying only from ads.txt-compliant paths to supply.

Tagged in:

Must Read

Publishers

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Toronto Canada pride parade includes a crowd waving pride flags
Marketers

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

CTV roundup

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Marketers

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.

Marketers

Shopify Wades Deeper Into Advertising, But Not Ad Tech

Shopify is slowly but surely making its way into the ads business. But the ecommerce leader maintains its laissez-faire approach to ad monetization.

CTV

Advertisers Say They Need More Data From Netflix

Netflix touts sharper targeting, but buyers say its black-box approach – especially the lack of usable IP data – is blunting measurement and quietly pushing performance-driven spend elsewhere.

Popular

  1. CTV roundup

    How AI Can Enhance Content Without Generating It

    As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

  2. OpenAI's debut in Cannes
    ChatGPT ads

    At Its First-Ever Cannes, OpenAI Says ‘We Are Clearly In The Advertising Business Now’

    Bonjour, ChatGPT ads. OpenAI’s inaugural Cannes Lions appearance doubled as a coming‑out party for its baby ad business.

  3. AdExchanger's Big Story podcast with journalistic insights on advertising, marketing and ad tech
    PODCAST: The Big Story

    2026 Cannes Lions: Authenticity In The Age of AI

    Authenticity. Outcomes. Workflow… and containerization? After a week sweating on the Croisette, the AdExchanger team offers you a sweat-free synopsis of the 2026 Cannes Lions.

  4. CTV

    Walmart Buys Vibe.co To Woo SMBs To Streaming

    Walmart will buy Vibe.co, a self-serve video ad platform, in hopes of attracting more small and medium-sized advertisers to connected TV.

  5. AI

    Large Language Models Are Overkill For Some Marketing Tasks. Enter The Small Language Model

    You know what’s cheaper than large language models? Small language models, which are designed for specialized tasks and can reduce latency.