Shady 'Merry-Go-Round' Ad Fraud Network Leaves Orgs Hemorrhaging CashShady 'Merry-Go-Round' Ad Fraud Network Leaves Orgs Hemorrhaging Cash

Stealthy ad fraud rings turn legitimate marketing into spam at a large scale, creating 200M+ bid requests daily.

4 Min Read
Child on a vintage merry-go-round horse
Source: geogphotos via Alamy Stock Photo

Researchers have uncovered two ad fraud rings redirecting hundreds of millions of online ads daily to pop-up windows on less-than-reputable websites.

In a report released on May 30, Human Security collectively named the rings "Merry-Go-Round," after the characteristic way they cycle around a small number of domains serving large volumes of ads.

At its peak, Merry-Go-Round's advertising ouroboros was feeding unwitting Internet users 782 million ads every day. Today, the ongoing operation serves a still-significant 200 million ads per day, on average.

"It's actually pretty crazy, the scale and magnitude of this operation," says Will Herbig, director of fraud operations at Human Security. "To contextualize this: A typical user sees something like 5,000 ads per day. So that 780 million is [equivalent to] 150,000 people's ad intake, on TV, their phone, the newspaper — for their entire day. That's, what, the population of Jersey City?"

Swindling Companies for Their Ad Dollars

Internet users won't be too chuffed by it, but companies have been losing gobs of money to ad fraud for as long as online ads have existed.

The obscure marketplace for ad placement (where middlemen exchanges — so-called "ad tech" companies — programmatically facilitate the buying and selling of online real estate) creates distance between buyer and seller, which fraudsters have long used to their advantage. Bad guys have been known to run ads on staged websites, serve them to bots programmed to simulate real engagement, and more, raking in revenue while their suppliers are none the wiser.

Compared with standard-setters like Methbot, Merry-Go-Round is rather simple, but still effective.

It begins with an overlay, laid invisibly atop a pirating, pornography, or other kind of website that most advertisers wouldn't want to be associated with. Any click redirects the site's visitor to a new browser window with the content they're expecting, while the original window redirects to a Merry-Go-Round domain.

Though unwilling to comment on attribution, Herbig does note that "the websites would have to knowingly run this code to generate this kind of [scheme]. Most likely, there is some kind of revenue-generating agreement between the two parties."

While an Internet user goes about their idle day, the out-of-focus Merry-Go-Round window starts to cycle between domains. Every 60 seconds it loads a new one, each cramming in a boatload of ads. Shorter cycles, Herbig notes, would be more likely to raise red flags. The process continues ad infinitum until the user notices and closes out the window.

"It scales very quickly, because there are 100 ads on a page, and users are often distracted, so they're going to be leaving these things open for some time," Herbig notes.

Beating Ad Fraud, the Easy Way

Merry-Go-Round is most sophisticated in its anti-detection techniques, using a number of measures to keep away advertisers, cyber analysts, and others who would stand in its way.

For example, the first pop-under domain served to users includes a bit of HTML code instructing search engines not to crawl the site, and not to investigate any links contained within it. Another bit of JavaScript code resets the referrer information typically tracked by online ads in order to obscure the relationships between different Merry-Go-Round domains, as well as their relationship with the websites that triggered the cycle in the first place.

Merry-Go-Round's best trick is "cloaking," a tactic common among ad fraudsters. If, say, a suspicious advertiser visits one of its domains directly, they'll be presented with a simple, inoffensive site. Only if they come upon the domain via redirection will they see it in its true form.

Detecting and shutting down operations like Merry-Go-Round is difficult. Luckily for advertisers, there's an easy way to avoid throwing your marketing budget down the toilet: Don't outsource the work of ad placement to exchanges.

"One big thing that you can do is: Know who you're buying inventory from," Herbig says. "The closer you are to your partners — the less transacting of inventory there is — the more likely it is you can avoid these [scams]."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights