Over a year before the FBI brought down 3ve’s human creators, the ad industry rolled out ads.txt, an anti-domain spoofing standard that slowly throttled the botnet.
3ve visited spoofed domains and sold fake traffic to publishers and, when it was active, was responsible for 1% to 2% of all bid requests, according to Google product manager Per Bjorke.
3ve got big because it used domain spoofing to get around the white- and blacklists marketers set up to outmaneuver the previous generation of ad fraud, which took place on fake, long-tail sites. Prior to ads.txt, no measures existed to verify a marketer was actually buying on the domain they thought they were. 3ve also took advantage of growing complexity and noise in bid requests that came from the rise of header bidding.
“Before ads.txt and just after the rise of header bidding, it was very difficult to figure out where the inventory was supposed to be coming from,” said Neal Richter, CTO of Rakuten Marketing.
Header bidding raised the number of bid requests going to publishers, who saw dollar signs and became more willing to add partners.
“Header bidding led to publishers being more promiscuous in their demand partnerships, and more willing to turn on demand partners, which made it easier for bad actors to hide amongst all the activity,” said IAB Tech Lab CTO Sam Tingleff.
In late 2016, the Russian botnet Methbot put domain spoofing on the ad industry’s radar. Then 3ve rolled in, using the same technique, “cementing the need” to address the problem, according to Bjorke.
The need to close the domain spoofing loophole led to the development of ads.txt, which was instrumental in curtailing the effectiveness of 3ve.
Google’s Bjorke was working on ads.txt while aware of 3ve – which ran unchecked as the FBI built its case. Knowing the scale of domain spoofing occurring raised the stakes of the initiative.
“It added to the urgency of making ads.txt,” Bjorke said.
Within the six months members of the IAB Tech Lab began work on ads.txt, it became a public standard.
“It was a fairly urgent problem, but technically not that difficult,” said IAB Tech Lab’s Tingleff. “It’s also one of the cases where all the participants are aligned in their interests and everyone wants it to succeed.”
Publishers swiftly adopted ads.txt around Q4 last year, such that its scale soon exceeded 3ve’s. 3ve spoofed over 10,000 domains during its run. Over 500,000 publishers now use ads.txt, which will make it harder for botnets to use domain spoofing in the future.
When publishers adopted Ads.txt en masse, 3ve was forced to change its operation, pushing 3ve to a smaller, less recognizable set of domains. “They were forced to essentially do more long-tail domain spoofing,” said White Ops CTO Tamer Hassan.
In early 2018, 80% of the bid requests 3ve generated could have been prevented by ads.txt, according to analysis by White Ops and Google.
Besides moving to desktop and mobile web sites without ads.txt files, there is some evidence the fraud moved to mobile apps, where ads.txt didn’t yet work. Some industry insiders speculate it could also have moved to connected TV, though there’s no evidence that 3ve operated there.
Though the death of 3ve was a victory for the ad industry – both in terms of quelling fraud and in terms of leveling criminal charges against the perpetrators – attack vectors remain, Hassan said.
One risk is social engineering, Bjorke said. If unscrupulous vendors get listed on a publisher’s ads.txt file, they can sell fake inventory and buyers may never know the difference. Bjorke and Hassan also warned of bad behavior among SSP aggregators, exchanges that do mostly arbitrage. Ads.cert will be able to address this problem, but it’s still in development, unlike its faster-moving predecessor.
Preventing the next attack
With 3ve gone, it may be a good time for publishers and marketers to take a second look at assessing the fees taken out as dollars pass through different vendors, domain spoofing could garble the results.
While ads.txt wasn’t designed to expose hidden fees, it makes it easier to perform supply path optimization and track the path inventory takes to get to a buyer.
So buyers might find that, without 3ve interfering and with ads.txt active, a different percentage of their dollar goes to a publisher.
Also, while 3ve was up and running, a publisher who bought its own inventory on the open exchange as a test to suss out hidden fees could have bought a domain spoofed version of their site. Missing money might appear to be an exorbitant fee, not ad fraud.
“Those tests would have been flawed,” Richter said, unless a publisher bought only from their account, an uncommon filter before ads.txt – and the final twist in the story of ads.txt and 3ve.
