• by Joe Mandese  @mp_joemandese, February 11, 2019

The good news is that the Interactive Advertising Bureau's ads.txt initiative has seen a remarkably fast compliance among the world's top website publishers doing business with big advertisers and ad agencies. The bad news is that nothing's perfect.

That's what ad fraud detection firm DoubleVerify found when it analyzed the composition of sites that have complied with ads.txt, a piece of code signaling that a site has complied with industry standards verifying that it is kosher to do business with.

According to the analysis conducted by DoubleVerify's Fraud Lab late last year -- and first reported late last week by The Wall Street Journal -- about 8.4% of sites analyzed utilized ads.txt, but did not list an an authorized reseller, which appears to defeat the whole purpose of ads.txt.

"Ads.txt, which stands for 'Authorized Digital Sellers,' is an IAB-approved text file that aims to prevent the sale of unauthorized ad inventory," DoubleVerify's report explains, adding: "Publishers drop the ads.txt text file, which lists all of the companies that are authorized to sell their inventory, onto their web servers. Similarly, programmatic platforms read this information to integrate ads.txt rules in order to qualify the inventory they purchase — creating greater transparency and trust in the value chain."

The problem, DoubleVerify found, was that a new fraud scheme circumvented and actually exploited ads.txt by posing as sites sanctified by the code by taking these steps:

1. The bot visits the site of a valid publisher and scrapes the site’s content.

2. The bot manipulates the environment to make it appear as though the browser is visiting the original site; however, it is actually viewing falsified content and ads.

3. The bot sells the ads slots it generated — under falsified URLs — through one of the resellers listed on the original site’s ads.txt file, making the content, the ad and the reseller arrangement appear to be legitimate.

The report is more than an expose of the programmatic ad industry's vulnerability. It shows that ad fraudsters are ingenious and constantly innovating — and perhaps most importantly, that every new industry threshold also represents a potential new vector for fraud for those creative or imaginative enough to think of how to exploit it.

Needless to say, the negative PR associated with this story will likely permeate through the industry, and it seems more than coincidental to me that an ad-fraud detection service would be the one to expose it. By that, I'm not implying that DoubleVerify was exploiting and exploit, per se, but who benefits most from the ingenuity and innovation of ad fraudsters: the people who sell services to protect against them.

In that way, digital ad-fraud detection is a lot like digital virus and malware software providers -- Norton (Symantec), etc. -- whose sales depend on it nefarious sources developing new variants to be protected against.

"While initiatives like ads.txt are positive, there will always be a need for each player to be vigilant to the ad fraud vulnerabilities they have a level of control over," says Amin Bandeali, CTO of Pixalate, a company that has been tracking website compliance with ads.txt.

Bandeali said Pixalate has observed similar examples found by DoubleVerify, and that the best solution is more perspiration than inspiration:

"We work hard to protect our clients from such schemes through our pre-bid technology and tools we provide for supply rating and data intelligence. At the end of the day, fraudsters will always seek to game the system because they are so highly incentivized. Scammers are constantly inventing, and it’s up to each stakeholder to carefully vet and monitor their sources and partners.

That said, Bandeali doesn't believe the industry should rush to throw out the ads.txt baby with the fraudsters' bath water, and that for those who can't or don't want to roll up their sleeves, something is better than nothing.

"We strongly believe that efforts like ads.txt are great for the industry as a do-it-yourself checkpoint against certain kinds of ad fraud. And as our ads.txt research has shown, there is a proven benefit: There was 22% less IVT on sites with ads.txt vs. those without. However, our research also showed that sites with ads.txt still had IVT rates at 13.5% — so we know that fraud still exists."