Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
To run a successful advertising campaign, it is important for advertisers to monitor their advertising budget and competently establish contact with the real audience. However, fraudsters also monitor your advertising campaigns, trying to snatch part of the advertising budget. To do this, they can use one of their fraudulent tactics - spoofing domains or sites.
In this article, you will learn what domain substitution leads to, how this technology manifests itself, and we will also tell you about working strategies that advertisers can use to protect their advertising budgets.
Contents
1. What is website (domain) spoofing?
2. Types of domain spoofing
2.1 URL/Site Spoofing
2.2 Cross- domain embedding
2.3. Malicious software
2.4. Modifying advertising tags
2.5. Homemade browsers
3. Why Domain Spoofing Remains a Threat in 2024
4. How to identify domain spoofing
4.1 View traffic reports manually
4.2 Use ads.txt
4.3. Use special anti-fraud systems
Please note that this is not about DNS spoofing, when the site displayed in the user's browser is replaced, but rather about imitation of premium resources on a domain that is as similar as possible to the original.
forbes[.]com → forbs[.]com, gosuslugi[.]ru → gos-uslugi[.]ru — here is a clear example of imitation of the domain of real traffic platforms. In this case, the scammers also imitate the content of the site along with the design and content.
Fraudsters use counterfeit traffic of large thematic portals placed on advertising platforms and not only, to inflate the cost of their inventory and clicks on advertising. After placing spoofing sites in advertising networks, they generate bot traffic on them to click on advertising and increase payments in their favor.
Here's what domain spoofing technology looks like when used in ad fraud:
Because of this, advertisers overpay for placing ads on low-quality or outright fraudulent sites, which also affects the effectiveness of advertising campaigns.
This fraud method seems simple and effective, and it really is. Advertisers pay for supposedly premium traffic, but they don’t get any return on it.
There are several reasons why attackers choose domain spoofing as a fraud technique:
In many areas, spoofing can have devastating consequences for ordinary users, owners of original sites, advertisers. With its help, fraudsters can infect devices, steal payment data and other confidential information, and damage the reputation of companies.
Fraudsters can also place ads on several domains at once, although the advertiser knows only about one, usually the highest quality. In this case, fraudsters link two (or more) sites together: the first may be dedicated to controversial content (e.g. gambling, pornography, extremist beliefs, etc.), which generates a lot of traffic, while the other contains valuable content, but a small number of visitors.
Another tactic is to use Unicode characters in your domain. Unicode, an international character encoding standard, assigns a unique number to each character in all languages and fonts, ensuring that they are accessible across multiple platforms, programs, and devices.
Therefore, scammers can use homoglyphs, i.e. graphically identical or similar signs. For example, the letter "h" is very similar to the Unicode symbol "һ" (Shha). Scammers use this similarity by registering domains for their fake sites, which completely imitate the domain names of legitimate resources.
Manipulating the content of legitimate traffic sites in an iFrame on a fake domain misleads advertisers into thinking that the ad is being displayed on a legitimate site.
Here's how it works: When a user launches an infected app, invisible ad banners are loaded in the background, generating automatic views or clicks. Each click on the ad brings income to the scammers.
For example, one such malware was Necro, which we recently wrote about in our blog. It is a multi-level downloader for running ads in the background, clicking, and generating traffic through infected Android devices.
For example, in 2017, US experts conducted an investigation that revealed the prevalence of fake domains masquerading as various advertising networks. The results showed that the cost of fraudulent advertising resources was approximately $1.3 million per month.
Another notable example is the Methbot botnet, a large-scale ad fraud scheme that operated between 2014 and 2018. At its peak, Methbot generated up to 400 million video ad views per day, had over 6,000 domains, and over 250,000 URLs. The scheme allowed fraudsters to make up to $3 million per day, mostly through domain spoofing.
An analysis of major ad fraud cases in recent years shows that domain spoofing is a favorite method of fraudsters, which brings them significant profits.
However, manual analysis of all domains from which advertising traffic comes is quite a long and tedious task that requires a lot of concentration. Especially when it comes to large-scale advertising campaigns. Therefore, it is recommended to initially place ads only on approved domains listed in the allowed/included list.
The ads.txt file itself is a text document that specifies which companies are allowed to sell their digital inventory on a specific domain. Since it can only be managed by the resource owner, the information contained in the file is considered valid and trustworthy.
While ads.txt cannot completely prevent advertisers from spoofing domains, it does provide an additional layer of security if implemented correctly and regularly updated by publishers. Therefore, it is recommended to only advertise on domains that have an ads.txt file.
To enhance protection of advertising from click fraud and fraudulent technology with domain substitution, we strongly recommend using special anti-fraud systems. They verify advertising traffic, detect invalid transitions and fraudulent traffic sources.
In this article, you will learn what domain substitution leads to, how this technology manifests itself, and we will also tell you about working strategies that advertisers can use to protect their advertising budgets.
Contents
1. What is website (domain) spoofing?
2. Types of domain spoofing
2.1 URL/Site Spoofing
2.2 Cross- domain embedding
2.3. Malicious software
2.4. Modifying advertising tags
2.5. Homemade browsers
3. Why Domain Spoofing Remains a Threat in 2024
4. How to identify domain spoofing
4.1 View traffic reports manually
4.2 Use ads.txt
4.3. Use special anti-fraud systems
What is website (domain) spoofing?
Domain spoofing, or website spoofing, is a fraudulent technique in which attackers imitate a legitimate website, trick it into sending traffic, and use it for phishing, click fraud, inflating views, stealing banking and personal data, etc.Please note that this is not about DNS spoofing, when the site displayed in the user's browser is replaced, but rather about imitation of premium resources on a domain that is as similar as possible to the original.
forbes[.]com → forbs[.]com, gosuslugi[.]ru → gos-uslugi[.]ru — here is a clear example of imitation of the domain of real traffic platforms. In this case, the scammers also imitate the content of the site along with the design and content.
Fraudsters use counterfeit traffic of large thematic portals placed on advertising platforms and not only, to inflate the cost of their inventory and clicks on advertising. After placing spoofing sites in advertising networks, they generate bot traffic on them to click on advertising and increase payments in their favor.
Here's what domain spoofing technology looks like when used in ad fraud:
- A cyber fraudster registers a domain that is similar in spelling to a legitimate and well-known website. For example, "gogle.com" instead of "google.com".
- Duplicates the design and creates a visually identical resource that mimics the original.
- Places the site in the advertising network.
- Drives bot traffic. Each bot can have its own task, including clicking ads.
- Advertisers place premium ads on it and do not pay attention to the parameters that indicate that the site is fake.
- The attacker successfully skims the cream of the crop from rewards for clicks on advertisements.
Because of this, advertisers overpay for placing ads on low-quality or outright fraudulent sites, which also affects the effectiveness of advertising campaigns.
This fraud method seems simple and effective, and it really is. Advertisers pay for supposedly premium traffic, but they don’t get any return on it.
There are several reasons why attackers choose domain spoofing as a fraud technique:
- Low quality traffic is easily generated by automated programs.
- It is possible to hide the source of traffic, especially if the site contains illegal or unwanted content.
- Possibility of phishing attacks.
- Distribution of malware or spyware.
- Collection of personal information without the knowledge of users.
In many areas, spoofing can have devastating consequences for ordinary users, owners of original sites, advertisers. With its help, fraudsters can infect devices, steal payment data and other confidential information, and damage the reputation of companies.
Types of domain spoofing
Domain spoofing methods can be divided into simple and complex. Simple domain spoofing methods involve copying websites exactly and placing them under a new domain. More complex methods include forging email addresses, distributing malware, or stealing personal data.URL/Site Spoofing
This is the most common form of domain spoofing. Fraudsters provide the ad server with the URL of a legitimate publisher with expensive inventory. Therefore, advertisers believe that their ads are being shown on a legitimate site, such as forbes.com, when in fact the ads will be displayed on the fraudster's fake resource (forbse.com). They can perform this substitution, including by manipulating the ads.txt file.Fraudsters can also place ads on several domains at once, although the advertiser knows only about one, usually the highest quality. In this case, fraudsters link two (or more) sites together: the first may be dedicated to controversial content (e.g. gambling, pornography, extremist beliefs, etc.), which generates a lot of traffic, while the other contains valuable content, but a small number of visitors.
Another tactic is to use Unicode characters in your domain. Unicode, an international character encoding standard, assigns a unique number to each character in all languages and fonts, ensuring that they are accessible across multiple platforms, programs, and devices.
Therefore, scammers can use homoglyphs, i.e. graphically identical or similar signs. For example, the letter "h" is very similar to the Unicode symbol "һ" (Shha). Scammers use this similarity by registering domains for their fake sites, which completely imitate the domain names of legitimate resources.
Cross-domain embedding
To implement this method, attackers use frames, which are HTML elements used to integrate external content into a page. This content can include images, videos, or even entire websites.Manipulating the content of legitimate traffic sites in an iFrame on a fake domain misleads advertisers into thinking that the ad is being displayed on a legitimate site.
Malware
Fraudsters can use infected apps or browser extensions to place ads on websites and in apps without the user's knowledge.Here's how it works: When a user launches an infected app, invisible ad banners are loaded in the background, generating automatic views or clicks. Each click on the ad brings income to the scammers.
For example, one such malware was Necro, which we recently wrote about in our blog. It is a multi-level downloader for running ads in the background, clicking, and generating traffic through infected Android devices.
Modifying advertising tags
Ad tags are a way to track the effectiveness of ad placements on a publisher's site. However, cybercriminals can hack and forge them to manipulate statistics. In this way, cybercriminals deceive advertisers into thinking they are buying premium ad inventory, while in fact the ads are being served on low-quality sites.Homemade browsers
Homemade browsers can be used to view sites and pages that commercial browsers cannot access. Fraudsters use them to create sites with URLs similar to premium resources. Advertisers fall for the trick and pay to place ads on fake resources.Why Domain Spoofing Remains a Threat in 2024
It's simple: this technology allows scammers to make easy money. Copying an existing website, placing ads on it, and subsequent monetization through bot traffic and clicking - all this is fully automated and accessible.For example, in 2017, US experts conducted an investigation that revealed the prevalence of fake domains masquerading as various advertising networks. The results showed that the cost of fraudulent advertising resources was approximately $1.3 million per month.
Another notable example is the Methbot botnet, a large-scale ad fraud scheme that operated between 2014 and 2018. At its peak, Methbot generated up to 400 million video ad views per day, had over 6,000 domains, and over 250,000 URLs. The scheme allowed fraudsters to make up to $3 million per day, mostly through domain spoofing.
An analysis of major ad fraud cases in recent years shows that domain spoofing is a favorite method of fraudsters, which brings them significant profits.
How to detect domain spoofing
To detect scammers who use this fraudulent technology, you can follow these steps:View traffic reports manually
Look at the domain names and URLs for any inconsistencies. For example, extra characters (hyphens) or numbers (1 – I or 0 – O), paying special attention to Unicode characters that resemble other letters (as in the example above).However, manual analysis of all domains from which advertising traffic comes is quite a long and tedious task that requires a lot of concentration. Especially when it comes to large-scale advertising campaigns. Therefore, it is recommended to initially place ads only on approved domains listed in the allowed/included list.
Use ads.txt
Ads.txt is an initiative proposed by the IAB in May 2017 as part of the Authorized Digital Sellers project. It is aimed at combating various forms of advertising fraud, including domain spoofing and unauthorized inventory resale.The ads.txt file itself is a text document that specifies which companies are allowed to sell their digital inventory on a specific domain. Since it can only be managed by the resource owner, the information contained in the file is considered valid and trustworthy.
While ads.txt cannot completely prevent advertisers from spoofing domains, it does provide an additional layer of security if implemented correctly and regularly updated by publishers. Therefore, it is recommended to only advertise on domains that have an ads.txt file.
Use special anti-fraud systems
Manual traffic analysis and the ads.txt file provide some protection, but they do not guarantee the highest possible level of protection from bots, low-quality sites, and other invalid traffic.To enhance protection of advertising from click fraud and fraudulent technology with domain substitution, we strongly recommend using special anti-fraud systems. They verify advertising traffic, detect invalid transitions and fraudulent traffic sources.
