Domain laundering, or the act of obscuring a publisher’s domain in an attempt to profit by selling low-value placements at high prices, is an emerging threat that has received recent and well-deserved attention. In what follows, we describe some of the major challenges and consequences of domain laundering, how domain laundering can be identified, and details of one particular instance of laundering found in the wild.
Identifying domain laundering is a challenge for several reasons. First, security policies of modern browsers often restrict the information accessible to tag-based Javascript, which is commonly used to provide telemetry. Similarly, crawling-based methods may miss specific instances of domain laundering and offer no direct information about the volume of traffic drawn to a site. Next, not all domain obfuscation counts as laundering. A publisher’s domain might be obscured during the course of serving an ad for legitimate reasons such as an ad network using third parties for inventory. Finally, detection typically requires tracing a series of HTTP redirects, which may contain obfuscation or even deception. A holistic view is required to reconstruct the full trace of an ad call.
Through our global measurement panel, Comscore has the ability to gather data that can be used to effectively identify domain laundering. Specifically, panel data can be used to identify ad placements on publisher pages that receive a high volume of ads, and it also enables the reconstruction of ad call sequences for each placement. These capabilities are a necessary starting point for the systematic analysis and detection of domain laundering.
To illustrate the details of domain laundering, the following is an example of this threat that was identified in the Comscore panel data. The figure below is an animated screen capture showing the result of loading a URL. The browser loads the URL and displays an ad. The loaded page consists of several nested iframes.
A closer look reveals that the iframe second to the top has an adnxs.com URL populated with a fictional referrer field. The animation shows examples of three different referrers: “nytimes.com", “accuweather.com" and “ehow.com". Dozens of other well-known domains are found in our logs. All this activity occurs under the same top-level URL of the browser. All of the Javascript tags that were served alongside the ads displayed in this animation misled about where the ad really was displayed. For a sense of scale, the domain showing in the browser (srv.quikdisplay.com) was visited more than 5.1 million times by our panelists on a single day! This instance is one among many that have either been identified or are currently under investigation.
The consequences of domain laundering are serious. High value domains have their brand value reduced through dilution. Legitimate domains that are not among the most visited in the web may have their ads misattributed to higher-value domains and thereby miss an opportunity for monetization. Finally, the level of trust placed in ad metrics is eroded and the resulting damage of this aspect of laundering is global.
The good news is that for every instance of domain laundering that we have observed, the bad actor has been detected through the application of Comscore’s comprehensive non-human traffic (NHT) filters. The list of domains participating in invalid activity is a key starting point for our domain laundering detection and mitigation activities. More broadly, detecting new threats and assessing their potential risk requires the right mix of perspective, insight and experience. An essential component of accuracy in fraud detection is having the right data sources. Detection of domain laundering is just one part of the much broader issue of advertising security that we are pursuing at Comscore. We are motivated by our mission to deliver trusted audience and advertising metrics.
Learn more about Comscore NHT triple detection.