Hundreds of Australian sites and brands hit in global ad fraud scheme

Arvind Hickman
By Arvind Hickman | 23 November 2017

Almost all of Australia's premium publishers, major sporting bodies, government departments, Google, Facebook and several iconic local companies were targeted in the world's largest ad fraud racket, according to Danish adtech company Adform, AdNews can reveal.

Adform discovered one of the largest digital advertising bot networks to date after a two-month investigation that began in August.

Called HyphBot, Adform predicts the domain spoofing scandal is “three to four times larger” than the Methbot network discovered by WhiteOps last year.

“HyphBot was generating up to 1.5 billion requests per day and it generated fake traffic on more than 34,000 different domains, including premium publishers, and more than a million different URLs,” Adform said in a report.

“Our analysis suggests that infected devices – a network of bots – accessing the Internet from more than half a million IP addresses (mostly from the US) are responsible for this wave of non-human traffic. Most notable, the problem is not in the long tail, it is affecting premium publishers.”

The global scam was revealed yesterday by the Wall Street Journal, and AdNews has since discovered at least 260 Australian websites that had been victim to the domain spoofing scam.

Significantly, many are premium publishers and not long tail websites that have a higher propensity to fraud.

They include News Corp titles The Australian, Daily Telegraph, Herald Sun, REA as well as major Fairfax Media mastheads, including Sydney Morning Herald, The Age, Domain and AFR.

Other major digital publishers include Yahoo, Disney, Nine, carsales, ABC, SBS, Ten, Fox Sports, Nickelodeon and ESPN. The scam has also targeted radio websites such as Nova, Kiis and Triple M.

Major brands that have had their websites spoofed for fraud include Telstra, Coles, David Jones, Tourism Australia, Ebay, the Australian Bureau of Statistics, NSW Government, AFL, Cricket Australia, Sportsbet and Football Federation of Australia.

Fraudsters are using domain spoofing to con automated trading desks to buy ads on these domains even though they may not carry advertising.

“Some buyers still only use blacklists not whitelists. More supply, better reach, cheaper inventory and, dare I say it, fatter margins for these buyers,” an industry source told AdNews today when asked about the HyphBot.

Ads.txt warning

Most of the major publishers have adopted the IAB's ads.txt code since the probe was launched, helping protect their websites from domain spoofing.

However, some websites such as ABC and Yahoo are yet to implement the code. Inventory on Google and Facebook, whose domains have also appeared on Adform's list, cannot be bought on an open exchange.

A Google spokesperson told AdNews: “Advertising fraud is a complex challenge, one we remain committed to fighting. For example, we recently announced new protections in our platforms from threats like domain spoofing through ads.txt and introduced automated, proactive refunds for advertisers as well as new reporting features so they can see where invalid traffic is occurring.”

IAB executive consultant Jonas Jaanimagi tells AdNews the discovery of HyphBot is a timely reminder for the entire industry to commit to the IAB’s ads.txt solution.

“Criminals running illegal domain-spoofing activities such as HyphBot and Methbot, can be immediately shut down by all publishers aggressively adopting and accurately maintaining the details on the ads.txt files on their domain,” Jaanimagi says.

“It’s a simple yet elegant solution that protects everyone, but it can only work as a result of mass adoption by media sellers coupled with a commitment to usage by all programmatic media buyers.”

An ad tech source, who spoke on the condition of anonymity, tells AdNews the issue can be addressed head on with the adoption of ads.txt.

“Some of the fantastic work with technologies like The Trade Desk, for example, whereby there's 40,000 domains who have adopted ads.txt where you can't do domain spoofing,” the source said.

“Hopefully the result of this is that it will push more domains to adopt ads.txt more quickly.

Solutions provided by firms like Integral Ad Science, DoubleVerify and Grapeshot also help prevent domain spoofing.

In the Australian marketplace a high volume of inventory comes from premium publishers, which means the chances of domain spoofing is lower than in markets like the US and Europe where more inventory is available in exchanges.

Locally, the number of exchanges is also coming down from more than 250 a few years to the vast majority of inventory being available in 12.

“There are many exchanges in various different countries pinging these impressions all over the world. That's where I think this domain spoofing can come from,” another ad tech expert tells AdNews.

Media agency groups are another important line of defence. AdNews is aware of holding groups where high level discussions are taking place about the importance of ads.txt and compelling publishers to have a formal response to the solution. More on that to be revealed.

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

comments powered by Disqus