MFA sites easily get around block lists

This week, AdExchanger reported [1] that "the ANA and TAG TrustNet released the first of what will be quarterly industry benchmarks that aggregate log-level data across multiple marketers. According to this first benchmark, which includes an analysis of log-level data for 11 brands (all ANA members), the amount of media dollars being spent on MFA dropped from 15% to 4%."

But did the amount of media dollars being spent on MFA actually drop from 15% to 4%? Nope. It just looks like it did. Why? How?

Simple. Log-level data contains errors that effectively hide the fraud and MFA sites. I wrote about this before https://www.dhirubhai.net/pulse/errors-log-level-data-placement-reports-conceal-fraud-fou-c1i0e But let me recap quickly.

The log-level data records the domain or page url passed in the bid request; similarly the legacy fraud verification vendors do the same (record the domain or page passed in the bid request) as opposed to the domain or page url where the ad actually went. Even if there is a win notification passback, it's usually a static pixel (.gif) which does not detect and confirm the domain and page where the ad actually went, because it's not a javascript tag and cannot collect any data other than HTTP headers. Perhaps this is a little too technical, so let me explain with an example.

Breitbart .com knows its domain has been in advertisers' block lists since 2016. If they put their own domain in the bid request, they will get no bids. So breitbart has a motive to lie about the domain and the means to do so, simply by deliberately mis-declaring the domain in the bid request. Breitbart can pretend to be any domain they want, as long as it is not breitbart .com which is in the block list. If breitbart pretends to be espn .com or marthastewart .com, those domains are faithfully logged in the log level data and also in the legacy verification vendors' placement reports. In other words, the ads would be recorded as going to espn or marthastewart .com even though the ad actually went to breitbart and the ad dollars did too.

Similarly, every single fraudulent site does the same thing. If they put their own domain -- fakesite123 .com -- in the bid request, they would get no bids. So the fake sites always have to pretend to be some other well-known domain, so they can get lots of bids. What do you think MFA sites do, once they are listed on Jounce's list of MFA domains? Right, they too will simply lie and deliberately mis-declare the domain to be a domain that is not on the blocklist. That's how simple it is to get around blocklists sold by adtech vendors. Those are completely useless to prevent advertisers' dollars from going to MFA sites, or breitbart, or fraudsters. In fact, block lists sold by adtech vendors made it even easier and quicker for bad guys and MFA sites to get back to making money -- i.e. they immediately know what domains are blocked, so they can more quickly start to falsify the domains passed in bid requests, get around the block lists, and get back to making money.

The same applies to the prebid filtering services sold by legacy fraud vendors. When a bad guy sees that their domain is blocked prebid, they immediately start to mis-declare the domain to get around the block. They can also declare the domain to be a site that is in an inclusion list, so they can start tapping into those sweet, sweet budgets being spent using inclusion lists. Smart criminals also easily falsified their ads.txt to mis-declare themselves as "direct" when they were no more than resellers, just so they could tap into all the budgets meant to be spent on "direct only" inventory. You get the picture. Right?

So what?

So what can you conclude from the above? And, more importantly, what can you do?

Hopefully you now understand that the analysis done by ANA, TAG, and TrustNet on the log level data supplied by 11 brand advertisers may have shown that "media dollars being spent on MFA dropped from 15% to 4%" but that doesn't actually mean "media dollars being spent on MFA dropped from 15% to 4%." It just means that MFA sites started to do what breitbart .com started to do in 2016, and what fraudulent sites have done for the last 15 years -- i.e. mis-declare the domain to get around block lists. The MFA sites won't show up in placement reports any more, because the placement reports from legacy verification vendors record the domain from the bid request, not where the ad actually went. And the log level data also won't show the MFA domains any more, because it records the domains that the MFA sites pretended to be, not where the ads actually went, to the MFA sites. Have I repeated myself enough yet?

So what can you do? Simple -- measure with a postbid javascript tag that can actually collect the data necessary to see where the ad actually went. Even if breitbart .com doesn't appear in the placement reports or log level data, you can still see that your ads went to breitbart and hundreds of MFA sites. You don't have to use FouAnalytics to do this, you can build your own javascript tag and detect the page/domain on which the ad loaded. Or you can copy and paste an in-ad tag from FouAnalytics into your ad server or DSP to see where your ads actually went. You don't even have to pay for FouAnalytics -- you are welcome to run a no-cost pilot to "see Fou yourself" that the numbers of ads and dollars going to MFA sites has not dropped, like the ANA, TAG, and TrustNet seem to think. Oh, and by the way, the prevalence of MFA sites is higher than the ANA reports.

Further reading: How FouAnalytics detects MFA Sites

The FouAnalytics data will show you the number of iframes on the page, the number of ads per page, and the list of iframes and their contents. This way, you can understand why any particular site is marked as an MFA site, instead of just trusting a list of domains sold by some adtech vendor.