FraudSensor Domain Mismatch IVT Classifications
In accordance with MRC guidelines, domain mismatches are considered a potential indicator of SIVT under the category of Domain and App misrepresentation: App ID spoofing, domain laundering and falsified domain / site location. However, there is a significant segment of domain mismatches that can be tied to valid traffic. HUMAN defines indicators to classify mismatches as either invalid or valid traffic. These are based on post-bid detection.
Valid traffic indicators
The mismatching domains host websites that are similar in content, branding, structure, and audience. These mismatches are not flagged as IVT, but can still be reviewed using the Domain Mismatch flag in the HUMAN Dashboard.
Subdomain mismatches
No Material Difference
No discernable difference between the websites hosted at the intended and detected domains in terms of content, audience, structure, or localization.
Mobile Site
Mismatches caused by a mobile version of a website are also considered as valid traffic.
For example: m.example.com
vs example.com
or amp.example.com
vs example.com
are considered benign mismatches.
Root domain mismatches
No Material Difference
Both domains point to the same website (for example, with a redirect), with the same content, branding, structure, and audience, and there is evidence that the domain spoofing is likely non malicious.
For example: the intended domain is news-site.com
and the detected domain is news-site.co.uk
, and news-site.com
redirects to news.site.co.uk
.
Google iframe
Traffic is loaded within a google website but the user is still being presented with an iframe of the intended domain.
For example: the intended domain is new-site[.]com
, but the detected domain is news[.]google[.]com
. However, we can detect that new-site[.]com
is loaded in an iframe over top of Google news.
IVT flagging indicators
Domain mismatches are flagged as IVT when the domains are considered materially different based on one of the indicators described below. These mismatches are tied to the category SIVT > False Representation > Domain Spoofing.
Mismatches can be reviewed using the Domain Mismatch flag, and they are also identified under the Domain Spoofing IVT subcategory in the HUMAN Dashboard.
Different Site/Root Domain
- The intended domain and the detected domain are different sites. For example:
news-site[.]com
vs.gaming-site[.]com
. - Includes situations where the domains appear similar but the top-level domain (eTLD) differs. This is because domains with different eTLDs can be owned by different entities and may be unrelated to each other, regardless of any similarity. For example:
news-site[.]com
vs.news-site[.]net
news-site[.]com
vs.news-site[.]hk
- Root domain mismatches are always considered as IVT unless both domains point to the same website (for example, within redirect) with the same content, branding, structure, and audience, as well as having no evidence of malicious spoofing. For example: the intended domain is
news-site.com
and the detected domain isnews-site.co.uk
, andnews-site.com
redirects tonews.site.co.uk
.
Different User Experience
- Material difference in user experience between the intended domain and detected domain.
- Different ad experience between the two domains
- Density or count of ads on page
- Full page ads
- Ads with auto-play or auto-scrolling
- Different website template or structure (excluding mobile version)
- For example:
- Intended domain is a health news site
health-news-site[.]com
, detected domain is a subsection of that site that lists doctorsdoctors[.]health-news-site[.]com
. This has a materially different page structure. - Intended domain is a dictionary website
dictionary-site[.]com
with word etymologies that has 2-3 ads on the sides vs. detected domain is a subsection of that siteword-game[.]dictionary-site[.]com
with a word game that has auto-playing video ads and 10+ ads per page.
- Intended domain is a health news site
- This includes situations where the detected domain is a piracy, adult content, or gambling domain that is unrelated to the intended domain.
Different Audience/Topic
- Intended or detected domain related to ads delivered to a smaller or niche audience compared to the intended audience, including different sections of a website targeting a specific audience. For example: intended domain is
news-site[.]com
and detected domain issports.news-site.com
. - Ads delivered to a bigger or broader audience compared to the intended audience. For example: intended domain is
sports.news-site[.]com
and detected domain isnews-site.com
. - The websites do not have user experience differences (otherwise they will be classified as Different User Experience)
Different Country/Location
- Intended or detected domain relate to a geographic localization or country-specific site. For example: intended domain is
news-site[.]com
and the detected domain isuk[.]new-site[.]com
.- In this case, the websites to do not necessarily have clear user experience differences (otherwise they will be classified as Different User Experience), but the different localizations are considered material differences.
These mismatches are not flagged as IVT when the intended domain is already region specific.
For example: intended domain is brazilian-soccer[.]com
and the detected domain is brazilian-soccer[.]br
.
Ad Verification
Detected domain is related to an Ad Verification provider or other known sandboxed environment.
Intended Domain Associated with Technical Infrastructure
Intended Domain is shown in pre-bid as a domain typically associated with ad loading or ad tech infrastructure, unlikely to be the actual domain deliberately being transacted. Detected domain is something else.
For example: intended domain is googlesyndication[.]com
and detected domain is something else.