Your Ad Ran Here (Not Really)

URL Masking Is Another Type Fraud Plaguing Automated Ad Buying Marketplaces

By Published on .

Reprints Reprints

Ads for popular brands like Reckitt Benckiser's Woolite have appeared on thedarewall.com
Ads for popular brands like Reckitt Benckiser's Woolite have appeared on thedarewall.com

Though lucrative bot fraud gets much of the digital advertising industry's attention, so-called URL masking, where publishers misrepresent their URLs to buyers, is another growing problem.

In the automated, real time ad marketplaces, up to 23% of ads bought land on these websites, according to ad quality firm DoubleVerify. Ghostery, which recently released a product to fight URL masking, says its research shows 40% of all URLs in automated auctions are masked.

The problem is likely to become more significant as more advertiser dollars go to these channels.

Earlier this week, for example, ads for major brands including T-Mobile, Anheuser–Busch and BMW were spotted running on thedarewall.com, a site which has received multiple copyright infringement allegations. It's the kind of site major advertisers would typically avoid. In this case, the brands thought their ads were running on lavishcar.com, a website with no copyright issues.

URL masking is often used to trick advertisers into running ads on sites with illicit or stolen content, which tend to generate lots of traffic but little ad revenue. URL masking is also used to fool buyers into thinking they're buying premium inventory when they are instead getting low quality placements.

"We're aware that misrepresentation persists in the marketplace and find it unacceptable," Lucas Herscovici, VP-consumer connections at Anheuser-Busch, said in a statement. "We hold our partners accountable for the quality of all media buys and will continue to work with them to improve safeguards."

T-Mobile and BMW did not respond to requests for comment by press time.

"We see it as a major threat to the validity and the integrity of the exchanges out there," said John Murphy, who leads traffic quality efforts at ad-tech company OpenX and is charged with fighting URL masking.

Ghostery, which collects anonymous data from 20 million users of its browser extension (users have opted in for the collection), says the problem extends beyond piracy sites. "While many URLs are sourced from torrent or adult content sites, domain masking can extend to legitimate sites who are trying to access the higher CPM bids for better known sites," said Ghostery CEO Scott Meyer.

How it happens
URL masking is often done using an iframe, or a window within a window. Sites that want to mask their URLs place their ads within these iframes, so they still show on the page but point back to another website. Multiple iframes can be layered on top of each other, making it especially tricky to figure out where an ad is live.

"You can basically nest these as deep as you want, and it makes it very difficult to determine what page was on top and in what context was this ad ultimately served," said Mr. Murphy.

Other URL masking tactics include placing ads on websites through browser extensions or rewriting code that exchanges require publishers to include on their sites. The code is manipulated as it makes its way back to the exchanges.

Though ads running on sites with masked URLs are seen by humans (unlike in the bot scenario), both DoubleVerify and OpenX consider it to be ad fraud.

OpenX fights URL masking with a crawler that monitors sites where it wouldn't serve ads. It flags sites where the crawler sees an OpenX tag, indicating that the company placed an ad there nonetheless.

The company also looks for suspicious behavior on its exchange, which is was what pointed it to the thedarewall.com. Another website used to mask thedarewall's URL, bargainlifestyle.com, sent requests for 2 million ads to be bought in a single day. Typical volume for bargainlifestyle.com was around 200,000 ads per day.

The company checked bargainlifestyle.com's referrers and found thedarewall.com was a main source of traffic. When Mr. Murphy's team looked within Ghostery's browser extension, they saw thedarewall.com representing itself in automated auctions as bargainlifestyle.com.

An administrator for thedarewall.com declined an interview request.

In this article: