Home Online Advertising How Ads.txt Took Down 3ve, As The FBI Took Down Its Creators

How Ads.txt Took Down 3ve, As The FBI Took Down Its Creators

SHARE:

Over a year before the FBI brought down 3ve’s human creators, the ad industry rolled out ads.txt, an anti-domain spoofing standard that slowly throttled the botnet.

3ve visited spoofed domains and sold fake traffic to publishers and, when it was active, was responsible for 1% to 2% of all bid requests, according to Google product manager Per Bjorke.

3ve got big because it used domain spoofing to get around the white- and blacklists marketers set up to outmaneuver the previous generation of ad fraud, which took place on fake, long-tail sites. Prior to ads.txt, no measures existed to verify a marketer was actually buying on the domain they thought they were. 3ve also took advantage of growing complexity and noise in bid requests that came from the rise of header bidding.

“Before ads.txt and just after the rise of header bidding, it was very difficult to figure out where the inventory was supposed to be coming from,” said Neal Richter, CTO of Rakuten Marketing.

Header bidding raised the number of bid requests going to publishers, who saw dollar signs and became more willing to add partners.

“Header bidding led to publishers being more promiscuous in their demand partnerships, and more willing to turn on demand partners, which made it easier for bad actors to hide amongst all the activity,” said IAB Tech Lab CTO Sam Tingleff.

In late 2016, the Russian botnet Methbot put domain spoofing on the ad industry’s radar. Then 3ve rolled in, using the same technique, “cementing the need” to address the problem, according to Bjorke.

The need to close the domain spoofing loophole led to the development of ads.txt, which was instrumental in curtailing the effectiveness of 3ve.

Google’s Bjorke was working on ads.txt while aware of 3ve – which ran unchecked as the FBI built its case. Knowing the scale of domain spoofing occurring raised the stakes of the initiative.

“It added to the urgency of making ads.txt,” Bjorke said.

Within the six months members of the IAB Tech Lab began work on ads.txt, it became a public standard.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“It was a fairly urgent problem, but technically not that difficult,” said IAB Tech Lab’s Tingleff. “It’s also one of the cases where all the participants are aligned in their interests and everyone wants it to succeed.”

Publishers swiftly adopted ads.txt around Q4 last year, such that its scale soon exceeded 3ve’s. 3ve spoofed over 10,000 domains during its run. Over 500,000 publishers now use ads.txt, which will make it harder for botnets to use domain spoofing in the future.

When publishers adopted Ads.txt en masse, 3ve was forced to change its operation, pushing 3ve to a smaller, less recognizable set of domains. “They were forced to essentially do more long-tail domain spoofing,” said White Ops CTO Tamer Hassan.

In early 2018, 80% of the bid requests 3ve generated could have been prevented by ads.txt, according to analysis by White Ops and Google.

Besides moving to desktop and mobile web sites without ads.txt files, there is some evidence the fraud moved to mobile apps, where ads.txt didn’t yet work. Some industry insiders speculate it could also have moved to connected TV, though there’s no evidence that 3ve operated there.

Though the death of 3ve was a victory for the ad industry – both in terms of quelling fraud and in terms of leveling criminal charges against the perpetrators – attack vectors remain, Hassan said.

One risk is social engineering, Bjorke said. If unscrupulous vendors get listed on a publisher’s ads.txt file, they can sell fake inventory and buyers may never know the difference. Bjorke and Hassan also warned of bad behavior among SSP aggregators, exchanges that do mostly arbitrage. Ads.cert will be able to address this problem, but it’s still in development, unlike its faster-moving predecessor.

Preventing the next attack

With 3ve gone, it may be a good time for publishers and marketers to take a second look at assessing the fees taken out as dollars pass through different vendors, domain spoofing could garble the results.

While ads.txt wasn’t designed to expose hidden fees, it makes it easier to perform supply path optimization and track the path inventory takes to get to a buyer.

So buyers might find that, without 3ve interfering and with ads.txt active, a different percentage of their dollar goes to a publisher.

Also, while 3ve was up and running, a publisher who bought its own inventory on the open exchange as a test to suss out hidden fees could have bought a domain spoofed version of their site. Missing money might appear to be an exorbitant fee, not ad fraud.

“Those tests would have been flawed,” Richter said, unless a publisher bought only from their account, an uncommon filter before ads.txt – and the final twist in the story of ads.txt and 3ve.

Must Read

LiveRamp Outperforms On Earnings And Lays Out Its Data Network Ambitions

LiveRamp reported an unexpected boost to Q3 revenue, from $160 million last year to $185 million in 2024, during its quarterly call with investors on Wednesday.

Google in the antitrust crosshairs (Law concept. Single line draw design. Full length animation illustration. High quality 4k footage)

Google And The DOJ Recap Their Cases In The Countdown To Closing Arguments

If you’re trying to read more than 1,000 pages of legal documents about the US v. Google ad tech antitrust case on Election Day, you’ve come to the right place.

NYT’s Ad And Subscription Revenue Surge As WaPo Flails

While WaPo recently lost 250,000 subscribers due to concerns over its journalistic independence, NYT added 260,000 subscriptions in Q3 thanks largely to the popularity of its non-news offerings.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Mark Proulx, global director of media quality & responsibility, Kenvue

How Kenvue Avoided $3 Million In Wasted Media Spend

Stop thinking about brand safety verification as “insurance” – a way to avoid undesirable content – and start thinking about it as an opportunity to build positive brand associations, says Kenvue’s Mark Proulx.

Comic: Lunch Is Searched

Based On Its Q3 Earnings, Maybe AIphabet Should Just Change Its Name To AI-phabet

Google hit some impressive revenue benchmarks in Q3. But investors seemed to only have eyes for AI.

Reddit’s Ads Biz Exploded In Q3, Albeit From A Small Base

Ad revenue grew 56% YOY even without some of Reddit’s shiny new ad products, including generative AI creative tools and in-comment ads, being fully integrated into its platform.