Cyclical redirects turn online advertising into a giant financial trap.
Researchers have identified two fraudulent networks that redirect hundreds of millions of online ads to pop-ups on questionable websites every day. In a May 30 report, Human Security called these networks "Merry-Go-Round" or Operation Carousel for their characteristic way of cycling ads across a limited number of domains.
During its peak period, Karusel showed users 782 million ads daily. Currently, the operation continues to work, showing an average of 200 million ads per day, resulting in huge revenues for attackers and similar losses for advertisers.
"The scale and magnitude of this operation is staggering," said Will Herbig, director of fraud Prevention at Human Security. "To understand the scale: the average user sees about 5,000 ads a day [with the ad blocker disabled]. So 780 million is equivalent to a daily advertising load of 150,000 people."
Advertising companies have been losing huge amounts of money due to this type of fraud since the very beginning of online advertising. A closed ad placement market, where intermediaries automate the process of buying and selling online space, creates a distance between the buyer and seller, which is what scammers use.
Carousel works relatively simply, but efficiently. It all starts with an invisible overlay placed on a site with pirated content or adult content. Any click redirects the user to a new tab with the expected content, while the original window goes to the "Carousel" domain, which shows the user hundreds of ads in the background.
Carousel uses various methods to avoid detection. For example, the first domain shown to the user includes HTML code that prohibits search engines from indexing the site and checking the links it contains. Additional JavaScript code resets referrer information to hide links between Carousel domains and sites that started the loop.
The best trick of the Carousel is disguise. If an advertiser who suspects fraud visits one of the domains directly, they see a simple, harmless page. And only when redirecting from certain sites, the user is shown a real form of "Carousel" with a lot of ads on the page.
Detecting and stopping operations like Carousel is difficult. Fortunately, an easy way for advertisers to avoid losing their budget is to avoid trusting intermediaries to place ads.
"It's important to know who's buying ad space from," Herbig says. "The closer the relationship with partners, the less likely it is to get caught by scammers."
Fortunately, such operations do not threaten end users. They only use them for illegal earnings, which, however, also contributes to the achievement of fraudsters ' goals. In order not to play into the hands of cybercriminals, it is mandatory to use an ad blocker in the browser, as well as not to visit dubious websites.
Researchers have identified two fraudulent networks that redirect hundreds of millions of online ads to pop-ups on questionable websites every day. In a May 30 report, Human Security called these networks "Merry-Go-Round" or Operation Carousel for their characteristic way of cycling ads across a limited number of domains.
During its peak period, Karusel showed users 782 million ads daily. Currently, the operation continues to work, showing an average of 200 million ads per day, resulting in huge revenues for attackers and similar losses for advertisers.
"The scale and magnitude of this operation is staggering," said Will Herbig, director of fraud Prevention at Human Security. "To understand the scale: the average user sees about 5,000 ads a day [with the ad blocker disabled]. So 780 million is equivalent to a daily advertising load of 150,000 people."
Advertising companies have been losing huge amounts of money due to this type of fraud since the very beginning of online advertising. A closed ad placement market, where intermediaries automate the process of buying and selling online space, creates a distance between the buyer and seller, which is what scammers use.
Carousel works relatively simply, but efficiently. It all starts with an invisible overlay placed on a site with pirated content or adult content. Any click redirects the user to a new tab with the expected content, while the original window goes to the "Carousel" domain, which shows the user hundreds of ads in the background.
Carousel uses various methods to avoid detection. For example, the first domain shown to the user includes HTML code that prohibits search engines from indexing the site and checking the links it contains. Additional JavaScript code resets referrer information to hide links between Carousel domains and sites that started the loop.
The best trick of the Carousel is disguise. If an advertiser who suspects fraud visits one of the domains directly, they see a simple, harmless page. And only when redirecting from certain sites, the user is shown a real form of "Carousel" with a lot of ads on the page.
Detecting and stopping operations like Carousel is difficult. Fortunately, an easy way for advertisers to avoid losing their budget is to avoid trusting intermediaries to place ads.
"It's important to know who's buying ad space from," Herbig says. "The closer the relationship with partners, the less likely it is to get caught by scammers."
Fortunately, such operations do not threaten end users. They only use them for illegal earnings, which, however, also contributes to the achievement of fraudsters ' goals. In order not to play into the hands of cybercriminals, it is mandatory to use an ad blocker in the browser, as well as not to visit dubious websites.
