Home / Blogs

New Ad Fraud Schemes Utilize Alpha-Numeric Domains

Co-authored by Dr. Augustine Fou, Independent Cybersecurity and Ad Fraud Researcher and David Mitnick, President of DomainSkate

The breach of the Democratic National Committee email system and a massive digital advertising fraud believed to be run by alleged actors in Russia share a common thread beyond their ability to capture the news cycle. Although each event targeted a different weakness in brand/online security platforms, the common denominator is the use of fraudulent domain names.

In the case of the DNC hack, an email linked to a look-alike Google domain was a critical component that allowed hackers entry into the DNC computer system. On the ad fraud side, alphanumeric and gibberish domains were used to bilk advertisers of millions of dollars a day via a complex system that showed real ads to fake people.

With respect to ad fraud, the use of alphanumeric and gibberish domains are particularly attractive because they are cheap (no premiums like for those domains that are normally associated with popular terms) and anonymous. Whereas prior schemes relied on some form of human intervention—whether it was fake clicks from confused users or hired clicks—the new schemes require none. In fact the entire purpose of registering a domain name like www.000chat000.com is that it will remain anonymous and not attract attention.

We did research on some recent alpha-numeric domains registered in the .COM registry and found that there were obvious patterns in the registrations. For example, see the below registrations that were made just last month:


Many of these domains were registered within minutes of each other which means that the registration was likely automated as part of a targeted scam. Specifically, bulk registrations can be performed by bots by simply adding slight variations to the domain names (as in the list above, and the examples below). And all are unique domains that will have a different payment ID in the ad exchange. Here are a few examples:

Creation Date: 2013-02-04T21:01:29Z

Creation Date: 2013-02-04T21:01:42Z

Creation Date: 2013-02-04T21:01:48Z

We also visited these sites and it became clear that the sites had no (human) traffic and were simply created for fraudulent purposes. The front pages of the sites most of them were exactly the same—that means they used the same site template. There was also no real or useful content on the pages. Though there was no legitimate purpose for the sites, the large numbers of them could be useful if used to commit ad fraud—where scammers would add them into ad exchanges in order to carry ads (e.g. display ads, video ads, search ads, etc.) just like in the recent Russian advertising scam.

The bottom line is that it is important for every company, large or small to monitor their brand names online and to pay close attention to the details in their media/digital advertising reports. On the brand side, a failure to monitor means that users or customers can be harmed by phishing scams that might otherwise be preventable.

With respect to digital advertising and media, it is important to always insist on line-item details when buying digital media. With these details you will be able to see domain names (e.g. on which your ads and media ran). When you see domains like the ones discussed in this article, be very suspicious and do further investigation, because they are more likely to be used for fraudulent purposes than for legitimate ones.

By David Mitnick, President DomainSkate LLC

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API