Ads.txt, an initiative by IAB (Interactive Advertising Bureau) in May 2017, to benefit both the sellers and buyers in the Digital Advertising Industry.

It allows publishers to identify who can represent and sell their inventory. It's a file that the publisher has to add to the site which verifies the ownership and shows the approved ad sellers to buy ad space on your site. It also creates a safe ecosystem for the buyers as their site will start receiving clean traffic or a licensed retailer for inventories.

So, Ads.txt helps advertisers avoid fraudsters who act as legitimate sellers involved in trading inventories and spoofing domains.

‍

The 404bot

The initiative came as a strong response to fraudsters in the Programmatic Ad Space, but on the contrary, it also became an open window for fraudulent practices.

The latest fraud scheme, ‘404bot‘, creating problems for advertisers, proves that fraudsters have exploited Ads.txt since the time it launched. That’s because buyers are usually unaware and don’t check the list with bots responsible for stealing the media spend by generating fake browser data and creating counterfeit URLs.

How does 404bot work?

The 404bot thrives on un-audited Ads.txt files, the very initiative that was created to shield buyers from illegitimate sellers from selling unauthorized inventories.

The 404bot is a sophisticated ad fraud scheme built to bypass all the preventative measures that allowed spoofed URLs to pass without being detected. It affected many publishers, both premium and general ones, although all of them had one thing in common - a sizeable Ads.txt list.

An extensive list led to fraudsters essentially using it for domain spoofing, the sauce behind 404bot. It builds a duplicated forged version of the actual web page, but it doesn’t have an inventory - it’s empty. It shows up a 404 error page instead of the spoofed domain. Unfortunately, it has the technical capability to show this as a legitimate buy from an authorized seller without any actual inventory.