Last week’s Adalytics report about Forbes operating a made-for-arbitrage (MFA) subdomain has the ad industry asking itself: How did no one catch this?
According to Adalytics, the “www3.forbes.com” subdomain has existed since 2017. This subdomain received almost exclusively paid traffic to repurposed articles from “www.forbes.com” that were reconfigured into slideshows laden with auto-refreshing ad inventory. The subdomain had all the signifiers that anti-MFA vendors use to identify MFA sites.
Just before the Adalytics report dropped on Thursday, Forbes deactivated the subdomain, which the company said in a statement to AdExchanger was “an insignificant part of [its] business” that represented “about 1% of Forbes’ overall user base.”
The fact that the subdomain flew under the radar for years is enough to worry buyers. Making matters worse, bid requests sent by Forbes via four major SSPs misrepresented this “www3” subdomain as Forbes’ default “www” domain. That means marketers who believed they were buying premium ads on the main Forbes site actually purchased MFA inventory.
But whether the “www3” URL was deliberately obscured in bid requests or not, the end result is the same: Ad buyers are being sold a bill of goods.
Ad verification and security software is supposed to catch such discrepancies because they are indicators of sophisticated invalid traffic (SIVT). Instead, verification vendors are driving up the cost per impression while failing to deliver the service that justifies their cut of revenue.
AdExchanger spoke to industry experts to understand what went wrong in this instance and why ad verification tools still regularly fail to flag some instances of alleged SIVT.
Spoofing or not?
The Adalytics’ investigation uncovered a particularly disturbing twist on MFA – that even ad tech platforms that were blocking the Forbes MFA subdomain still served ads on the www3 pages.
How?
The Trade Desk (TTD) blocked Forbes’ “www3” subdomain for years, a person familiar with the DSP’s platform told AdExchanger. But Trade Desk’s URL blocking seems to have been easily bypassed by what Adalytics described as domain spoofing – replacing the “www3” subdomain with the default “www.forbes.com” URL in bid requests.
The Media Rating Council (MRC) considers domain spoofing to be a marker of SIVT. And the organization’s standards would classify the URL discrepancies documented in the Adalytics report as SIVT, said George Ivie, CEO and Executive Director of the MRC.
MRC-accredited ad verification platforms, such as DoubleVerify, Integral Ad Science, HUMAN and Oracle-owned Moat, should catch this type of URL discrepancy, Ivie said. Yet they didn’t, which suggests gaps in their verification processes.
The MRC has opened an investigation into its certified verification vendors, as well as other relevant platforms, to identify any such gaps, Ivie said. It will also look for best practices that could have helped vendors block this inventory, which the MRC will consider adding to future standards updates.
Cracking the code
Domain spoofing by replacing the URL in bid requests shouldn’t be possible using the default Prebid server code, Prebid president Mike Racic told AdExchanger.
However, it’s common for a tech vendor to rewrite portions of Prebid’s open-source software code, and the problematic bid requests flagged by Adalytics used a custom Prebid server integration designed for Forbes by Media.net.
“As with any open-source project, users have the liberty to modify our code, as appears to be the case here,” Racic said. “However, since we lack visibility and oversight into users’ applications or alterations to our codebase, we are only able to intervene once violations are brought to our attention.”
A source at a major DSP told AdExchanger that it would be “impossible” for a DSP to detect in real time whether a vendor like Media.net is altering Prebid server code to allow URL misrepresentation.
Forbes and Media.net deny that they engaged in domain spoofing by intentionally replacing the “www3” subdomain in bid requests. Media.net claims the URL switch was an unintentional coding error on its part. Media.net said it would have nothing to gain by spoofing the bid requests, since the company gets paid a flat software fee by Forbes. (What it might gain, in theory, is a reliable client in Forbes.)
Media.net declined multiple requests to clarify the nature of the coding error. It told AdExchanger it conducted an audit of its Prebid integrations and found the problem only affected Forbes’ “www3” subdomain.
Scope of the scandal
To be clear, the “www3” subdomain was not mis-declared in all bid requests – only in bids that used the Media.net Prebid integration. So bid requests sent via Amazon Transparent Ad Marketplace, Google Ads or other integrations should have accurately reflected the “www3” URL.
But how much advertisers spent on improperly labeled inventory is unclear.
According to both Forbes and Media.net, the “www3” URL was misdeclared only in programmatic deals totaling about 1% of impressions sold on the “www3” subdomain. (So the mislabeled deals comprise 1% of ad impressions shown to 1% of Forbes’ user base.)
Both companies added that the faulty integration only affected bid requests sent by four SSPs – PubMatic, Magnite, TripleLift and Microsoft’s Xandr.
When it comes to deals conducted through TTD, a person familiar with the platform said bid requests that replaced the “www3” URL accounted for spend in the low tens of thousands since the beginning of this year.
The MRC considers potential SIVT representing 5% of total campaign traffic to be “material.” Forbes’ claim of 1% SIVT from domain mismatches wouldn’t cross that threshold. But even though its SIVT threshold likely hasn’t been met, the MRC plans to investigate any flaws in verification documented by Adalytics, Ivie said.
And some buyers may have seen a much higher SIVT impact, Ivie added.
One media buyer who spoke to AdExchanger anonymously said that about 20% of media their agency purchased from Forbes this year contained the URL discrepancy within ad server logs.
“The domain spoofing is intentional,” they said, unimpressed by Forbes or Media.net’s excuses. “The existence of the website is intentional. The obscuring of the website from organic search is intentional.”
Besides, the MRC’s SIVT standards do not take intent into account, Ivie said. Whether intentional or not, spoofed traffic is invalid.
And regardless of intent, most DSPs will offer refunds to advertisers affected by the URL discrepancies, likely by clawing back budgets from the SSPs.
Why verify?
Telling advertisers they were misled on only 1% of what they bought isn’t likely to assuage their concerns.
One agency source who spoke to AdExchanger felt the burden of catching this error falls on ad verification vendors. For example, this Forbes incident bears a similarity to a previous Adalytics report two years ago, when Gannett was found mislabeling subdomains in bid requests.
“The [Forbes] problem has the exact same signature and symptoms as the Gannett thing,” said one buy-side source familiar with the TTD platform. “We thought it was fixed, and apparently it wasn’t.”
But despite errors continuing to slip through, Ivie said it’s unlikely any verification vendors will lose their MRC certification unless the organization discovers “material nonc
ompliance” with MRC standards. “Accreditation doesn’t mean somebody’s perfect,” he said.
(The Trade Desk’s verification partner, HUMAN, did not respond to multiple requests for comment. DoubleVerify and IAS also did not respond.)
Who else is responsible?
Inventory misrepresentation isn’t easily caught by DSPs or SSPs, one anonymous buyer said. That’s because programmatic tech actually relies on manual user input, so it is prone to error and obfuscation. “DSPs are relying on accurate information from the SSPs, and the SSPs are relying on the publisher to be truthful,” they said.
SSPs should block all pages that could be classified as MFA by default, but are hesitant to demonetize MFA entirely because they fear their competitors will simply continue to sell it and reap the rewards, said Ebiquity Chief Strategy Officer Ruben Schreurs.
So, instead, Schreurs said that the IAB Tech Lab should add a field to the OpenRTB spec where publishers must declare the traffic source for all ad impressions in their bid requests. This way, if buyers want to avoid MFA, they can opt not to bid on any paid traffic. But advertisers would have to ensure that everything in the bid request matches where the ad gets served, he said.
Maybe this latest Adalytics report is the wake-up call the industry needed to inspire more due diligence.
“Utter shock,” said one media buyer about the Forbes MFA deception. “I don’t know how else to describe a major news outlet and publisher having a secret made-for-arbitrage domain.”
But is “shock” the right word, at this point?
“The industry as a whole doesn’t give a shit,” said one anonymous DSP source. “All this MFA reporting is an opportunity for them to grab their pearls and say ‘I had no idea,’ while they wait for the news cycle to pass.”
The Forbes report is another black eye for ad verification vendors, another instance of DSPs clawing back budgets for inventory sold under false pretenses, and will be a go-to cautionary tale in ad tech, at least until another Adalytics report exposes the same problem once again repeating itself next year.
