An extensive ad fraud operation has been unearthed by researchers, shedding light on the shady practices that redirect hundreds of millions of online ads daily to pop-up windows on dubious websites. The findings were detailed in a report released on May 30 by Human Security, which dubbed the two rings behind the operation as “Merry-Go-Round” due to their repetitive cycle around a limited number of domains hosting a large volume of ads.
At its peak, Merry-Go-Round was bombarding unsuspecting Internet users with a staggering 782 million ads every day. While the operation has somewhat decreased in intensity, it still manages to push out around 200 million ads daily. Will Herbig, the director of fraud operations at Human Security, expressed astonishment at the sheer scale of the operation, likening it to inundating 150,000 individuals with advertisements throughout the day across various platforms.
The relentless exploitation of online ads has long been a lucrative endeavor for fraudsters, with companies losing substantial amounts of money to ad fraud annually. The convoluted ad placement marketplace, facilitated by intermediary exchanges known as “ad tech” companies, provides the perfect breeding ground for fraudulent activities. Bad actors have capitalized on this setup by running ads on fabricated websites, directing them to bots programmed to mimic genuine engagement, ultimately profiting while deceiving advertisers.
Although Merry-Go-Round operates in a relatively straightforward manner compared to other notorious schemes like Methbot, its effectiveness cannot be underestimated. The scheme commences with an overlay strategically positioned atop questionable websites, such as pirated or adult content sites, redirecting users to a designated browser window containing the desired content while secretly routing the original window to a Merry-Go-Round domain.
While refraining from attributing blame, Herbig insinuated the complicity of websites running such code to perpetuate the fraud, often through revenue-sharing agreements. The cycle ensues as the Merry-Go-Round window continuously switches between domains every minute, bombarding users with a barrage of ads. This process continues indefinitely until the user becomes aware of the scheme and closes the window.
Efforts to counteract ad fraud have met significant hurdles due to Merry-Go-Round’s sophisticated anti-detection measures. The fraudsters employ various tactics to evade detection, including instructing search engines not to crawl the initial domain and obscuring the relationships between different domains through the manipulation of referrer information.
One of Merry-Go-Round’s most effective ploys is cloaking, a common strategy among fraudsters, wherein direct visitors are presented with benign content, only revealing the true nature of the site to those redirected through deceptive means. Detecting and dismantling operations like Merry-Go-Round prove to be challenging, emphasizing the need for vigilance and accountability in the ad placement process.
In light of these revelations, Herbig advocates for a more hands-on approach to ad placement, urging advertisers to be discerning about their inventory sources. By fostering closer partnerships and minimizing intermediaries in ad transactions, companies can mitigate the risks of falling victim to fraudulent schemes like Merry-Go-Round. Adopting a proactive stance and maintaining transparency in advertising practices can safeguard marketing budgets and preserve the integrity of online advertising.