I've been talking with them about the finding and to be fair, it is hugely supportive of the progress made by ads.txt, but there was always a question mark over how much protection the technology would offer, and for how long.
The problem with ads.txt was always known. It's a little similar to a guest list put on the door of a nightclub. If a publisher has put your name down as a reseller of its inventory, then you're safe to carry on selling ads on its behalf.
Like any guest list, however, there is always the risk of the wrong person getting their name put down or the wrong person turning up at the door, pretending to be someone who really is on the list.
In a nutshell, ads.txt says who can sell ads on behalf of a publisher, but it cannot guarantee that people claiming to be a reputable reseller of inventory are who they say they are.
Domain spoofing is commonplace, and that is what we have here with the 404 Bot. It is a highly sophisticated network through which rogue sites are pretending to belong to official advertising resellers. Although they may well appear to be AdvertSeller1.com, the actual site in operation will be a redirect to something like Seller1Advertiser.com.
Talking to the guys at IAS, it seems that one of the big giveaways with this network they are pointing the finger at was that it didn't behave like a human would. What was the giveaway? Well, many arms of the botnet all updated to the latest version of Chrome at exactly the same time, and that's something humans in an organisation never do.
So what can be done?
When publishers talk about ads.txt, it is clear they are being bombarded daily by people wanting to be added to their list and so it is easy to see how some rogue elements might slip through the net. It's also easy to see how rogue elements can pretend to be someone who is on the list.
The advice from the researchers is that ads.txt lists need constant checking and auditing to ensure they are up to date and only feature the names and account IDs the publisher is comfortable with.
With this advice comes a warning. We are in a technological arms race here. As ads.txt started to clean up the industry, it has stopped the lowest level of ad fraud and so cyber criminals have had to become more adept at conning the system to get on an ads.txt list or spoof the domain of someone who is.
The guys at IAS are reporting increasing sophistication that suggest that while ads.txt is a huge help, it has simply raised the barrier for cyber criminals and many are now learning how to overcome it.