Shady Merry-Go-Round Ad Fraud Network Leaves Orgs Hemorrhaging Cash

  /     /     /  
Publicated : 23/11/2024   Category : security


Shady Merry-Go-Round Ad Fraud Network Leaves Orgs Hemorrhaging Cash


Stealthy ad fraud rings turn legitimate marketing into spam at a large scale, creating 200M+ bid requests daily.



Researchers have uncovered two ad fraud rings redirecting hundreds of millions of online ads daily to pop-up windows on less-than-reputable websites.
In a
report released on May 30
, Human Security collectively named the rings Merry-Go-Round, after the characteristic way they cycle around a small number of domains serving large volumes of ads.
At its peak, Merry-Go-Rounds advertising ouroboros was feeding unwitting Internet users 782 million ads every day. Today, the ongoing operation serves a still-significant 200 million ads per day, on average.
Its actually pretty crazy, the scale and magnitude of this operation, says Will Herbig, director of fraud operations at Human Security. To contextualize this: A typical user sees something like 5,000 ads per day. So that 780 million is [equivalent to] 150,000 peoples ad intake, on TV, their phone, the newspaper — for their entire day. Thats, what, the population of Jersey City?
Internet users wont be too chuffed by it, but companies have been
losing gobs of money to ad fraud
for as long as online ads have existed.
The obscure marketplace for ad placement (where middlemen exchanges — so-called ad tech companies — programmatically facilitate the buying and selling of online real estate) creates distance between buyer and seller, which fraudsters have long used to their advantage. Bad guys have been known to run ads on staged websites, serve them to bots programmed to simulate real engagement, and more, raking in revenue while their suppliers are none the wiser.
Compared with
standard-setters like Methbot
, Merry-Go-Round is rather simple, but still effective.
It begins with an overlay, laid invisibly atop a pirating, pornography, or other kind of website that most advertisers wouldnt want to be associated with. Any click redirects the sites visitor to a new browser window with the content theyre expecting, while the original window redirects to a Merry-Go-Round domain.
Though unwilling to comment on attribution, Herbig does note that the websites would have to knowingly run this code to generate this kind of [scheme]. Most likely, there is some kind of revenue-generating agreement between the two parties.
While an Internet user goes about their idle day, the out-of-focus Merry-Go-Round window starts to cycle between domains. Every 60 seconds it loads a new one, each cramming in a boatload of ads. Shorter cycles, Herbig notes, would be more likely to raise red flags. The process continues ad infinitum until the user notices and closes out the window.
It scales very quickly, because there are 100 ads on a page, and users are often distracted, so theyre going to be leaving these things open for some time, Herbig notes.
Merry-Go-Round is most sophisticated in its anti-detection techniques, using a number of measures to keep away advertisers, cyber analysts, and others who would stand in its way.
For example, the first pop-under domain served to users includes a bit of HTML code instructing search engines not to crawl the site, and not to investigate any links contained within it. Another bit of JavaScript code resets the referrer information typically tracked by online ads in order to obscure the relationships between different Merry-Go-Round domains, as well as their relationship with the websites that triggered the cycle in the first place.
Merry-Go-Rounds best trick is cloaking, a tactic common among ad fraudsters. If, say, a suspicious advertiser visits one of its domains directly, theyll be presented with a simple, inoffensive site. Only if they come upon the domain via redirection will they see it in its true form.
Detecting and shutting down operations like Merry-Go-Round is difficult. Luckily for advertisers, theres an easy way to avoid throwing your marketing budget down the toilet: Dont outsource the work of ad placement to exchanges.
One big thing that you can do is: Know who youre buying inventory from, Herbig says. The closer you are to your partners — the less transacting of inventory there is — the more likely it is you can avoid these [scams].

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Shady Merry-Go-Round Ad Fraud Network Leaves Orgs Hemorrhaging Cash