Just announced: HUMAN’s Satori Threat Intelligence and Research team has disrupted a cunning mobile advertising fraud campaign dubbed Konfety.

Ads.txt: A White Ops Perspective

Despite high-profile takedowns like Methbot last year, domain spoofing remains a big source of ad fraud.

The good news is the industry has found a practical fix for this problem in the form of Ads.txt, an effective and low-cost way to combat ad fraud.


Why do we need Ads.txt?

Ads.txt is a simple, elegant solution to the insidious problem of domain spoofing. In the RTB ecosystem, bid requests are supposed to be launched when a browser visits a web page. The browser sends a special http request, often embedded in the header of the page being visited, which launches a bidding war for the right to serve an ad on that page to that browser.

But if you control a browser, you can make it lie. Cybercriminals use malware and other means to send bid requests to the RTB ecosystem that look like they come from browsers visiting major publishers. These spoofed bid requests attract real bids and make real money.


Wait, what? How do you “fake” a website in digital advertising and get away with it?

There is a lot of reselling in digital advertising for perfectly legitimate reasons. In some industries, ad spending is very seasonal, while the costs of running a website are much the same month-over-month. As a result, plenty of publishers sell to intermediaries who buy big blocks of ad inventory in advance and then sell it over time. Because of this, multiple companies can legitimately sell ad inventory on the same website.

But before Ads.txt, there was no way to verify, at web scale, that a given seller had a legitimate right to sell a given website’s inventory. If someone could make a browser lie about where it is, he could sell impressions for any website under any seller ID you could possibly want, including, of course, his own.

The next step is to scale. How can you make a million browsers lie? One method is to run them all in a controlled environment, like a server farm in a datacenter. But datacenter traffic doesn’t look quite right, because most consumer web traffic comes from homes, offices, and commercial spaces like coffee shops. So an attacker needs to mask his IP space to look residential or proxy his datacenter traffic through residential companies infected with a malware proxy

If you can infect a residential computer with a malware proxy, you can use other malware-based spoofing techniques as well. Even simple techniques, like modifying ad tags on the fly to make them like they’re coming from other domains, can work in some environments that track delivery using only 1x1 pixels.


How Ads.txt works

Ads.txt -- cleverly backronymed as “Authorized Digital Sellers” -- is an Interactive Advertising Bureau (IAB) initiative to fight spoofing. Publishers selling ads on their site add a text file --literally, ads.txt -- to their site’s root directory. For example, here’s what the New York Times ad.txt file looks like: https://www.nytimes.com/ads.txt

The file contains a list of the vendors approved to sell a publisher’s inventory. Media buyers can cross-reference this list with the inventory they’re about to purchase and ensure they’re buying from a licensed provider instead of a fraudulent one.


What’s next for Ads.txt

We have already seen countermoves in the wild: fraudsters manipulating publishers into writing them into Ads.txt files as legitimate resellers. In this case, fraudsters write “helpful” how-to articles on implementing Ads.txt on a publisher’s site. Since Ads.txt is still fairly new, these articles continue to drum up plenty of traffic from worried publishers trying to protect their inventory. Once the publisher follows the instructions, the file is successfully placed on their server, but with one small change: the fraudster’s site is now listed as an authorized seller.

The IAB itself offers a great resource for learning how to create and implement an Ads.txt file, so it pays to be skeptical of contradictory information from around the web. But ultimately, we need to clear the adoption hurdle. As more publishers incorporate Ads.txt into their sites, scammers will run out of sites to spoof, potentially eliminating this form of fraud altogether.

On the mobile front, we have some work to do. Mobile apps don’t have the equivalent of a website root directory, where an ads.txt file lives on the web. We’ll need to develop a way to port the Ads.txt concept to in-app advertising.


Let’s put an end to domain spoofing

Ads.txt is a straightforward, elegant solution to a complex, profitable ad fraud scheme. There’s always room for error in the fight against cybercrime — publishers fail to use an Ads.txt, advertisers fail to check it, and unscrupulous SSPs with authorization send fraudulent traffic to placements anyway. But if the cybersecurity community can encourage 100% adoption, we may be able to cut off this form of cybercrime for good.