IAB Tech Lab rolled out the ads.txt project nearly two years ago to prevent counterfeit inventory in digital advertising, but fraudsters have found a way to circumvent its protections.

Ads.txt is now used by an estimated 41% of the top 1,000 websites ranked by the Alexa analytics service, and it has gone a long way to create greater transparency and improve digital security.

In brief, it works by creating a publicly accessible record of authorised digital sellers for publisher inventory that programmatic buyers can reference when seeking to purchase inventory from authorised sellers.

However, DoubleVerify, a New York-based software firm that specialises in authenticating ad inventory, discovered late last year that scammers had been operating a new bot network to get round ads.txt.

Fortunately, the scam was detected and DoubleVerify immediately alerted its clients and partners, including ad tech company SpotX, which confirmed to the Wall Street Journal that it took action when warned of the fraud in October.

Had it gone unchecked, DoubleVerify said the scam could have cost advertisers between $70m and $80m per year in lost inventory.

The Journal further revealed that the fraudsters disproportionately targeted “high profile” news publishers and entertainment sites, although DoubleVerify did not disclose the names of the specific sites affected.

The scam involved botnets scrapping content off publishers’ websites and then creating falsified copies of the scraped pages on its own server, adding new ad slots that did not previously exist.

These fraudulent ad slots, which appeared to originate from a valid site, were then sold through authorised resellers on the publisher’s ads.txt file.

A key message for the advertising industry from the discovery is that ads.txt is not completely foolproof and that additional safeguards should be deployed, such as working with third-party verification firms.

“While ads.txt is a significant step toward resolving unauthorised reselling and associated fraud, it’s not a complete failsafe,” said Roy Rosenfeld, head of DoubleVerify’s Fraud Lab.

“This scheme was specifically designed to take advantage of the industry-wide ads.txt initiative and commit fraud that would not trigger ads.txt violations with programmatic buyers.”

Sourced from DoubleVerify, Wall Street Journal; additional content by WARC staff