Satori Threat Intelligence Alert: Merry-Go-Round Conceals Ads from Users and Brands

(This is the first in a series examining cloaking operations uncovered and defended against by HUMAN’s research teams.) 

Researchers: Louisa Abel, Nico Agnese, Denys Bondartsov, Will Herbig, Mykola Polubutkin, Adam Sell, Mikhail Venkov

IVT Taxonomy: Automated Browsing, Misleading User Interface, False Representation

Merry-Go-Round is the name HUMAN researchers have given to two independent rings of websites that operate and redirect traffic among each other in pop-under tabs, racking up digital ad impressions that are concealed from the user. The threat actors built the ad cloaking operations in such a way that directly visiting the domains involved won’t trigger the redirection behavior, effectively hiding the fraudulent activity from brands and advertising partners.

At its peak, Merry-Go-Round—so named for the carousel of domains the pop-unders cycle through—reached 782 million bid requests a day. This operation is still active; today, Merry-Go-Round accounts for roughly 200 million bid requests a day, and the threat actors behind both rings continue to attempt to adapt their attack, adding new domains and subdomains to both rings. This operation is unique in its level of sophistication and obfuscation; the threat actors took pains to both conceal the rings (removing referrer information in between each domain in the cycle) and to maximize their profit (requesting as many as a hundred ads on each domain in the cycle).

Customers partnering with HUMAN for ad fraud defense are protected from the impacts of Merry-Go-Round.


Pop-Under and Redirection

The Merry-Go-Round ride begins when a user visits a website with the intention of viewing content most advertisers wouldn’t want their brand associated with (often pornography or pirated content). The website hosting that content uses overlays to hijack any mouse click on a directory page and launches a new tab with content the user expects to see, and redirects the original now out-of-focus tab to a Merry-Go-Round domain.

What the user sees when a pop-under tab opens
Source: HUMAN Satori Threat Intelligence Team

This behavior is triggered by iFrames and overlays which sit atop all of the content on the page, hijacking all clicks:

DIV tag overlays that trigger pop-under behavior
Source: HUMAN Satori Threat Intelligence Team

A closer look at the iFrames and DIV tags triggering the behavior:

DIV tag overlays and iFrames that trigger pop-under behavior
Source: HUMAN Satori Threat Intelligence Team

Notice the z-index trait on both the DIV tags and iFrames. That value, 2147483647, is the maximum z-index value, and ensures the overlays sit on top of everything else on the page.

After hijacking the click and loading the Merry-Go-Round domain in the out-of-focus tab, a timer begins. After about sixty seconds, the tab automatically jumps to the next page in the ring.

Diagram outlining how Merry-Go-Round cycles through domains
Source: HUMAN Satori Threat Intelligence Team

This process continues until the tab is closed, and that may take some time: The Human Defense Platform observed more than 789,000 ad requests associated with Merry-Go-Round from a single residential IP address in a single day.


Domain Cloaking

In addition to hiding activity from users through pop-unders, the Merry-Go-Round threat hides activity from brands through domain cloaking. Brands, agencies, and DSPs that examine where their ads are running may visit some of the sites in the Merry-Go-Round rings, and if they do, this is what they’ll see:

Merry-Go-Round domain, visited directly
Source: HUMAN Satori Threat Intelligence Team

A boring site, perhaps, but not a troublesome one from a brand’s perspective. Nothing to object to for brand safety reasons.

But that’s only the view of the site if it’s visited directly. Visiting the site through forced redirection via pop-unders results in an entirely different experience:

Merry-Go-Round GIF (full video)
Source: HUMAN Satori Threat Intelligence Team

Same website, but no actual “content”, no nav menu, no header, and no logo. Just collections of ads rendered above the fold (ensuring the ads actually render), and all using header bidding.

“Ad cloaking” is a broad term describing behaviors designed to misrepresent ad inventory by obfuscating how, where, or when the ad was loaded, in a materially different way than the advertiser might expect based on its declaration in the bid request. In the case of Merry-Go-Round, the operators are cloaking the domain to lead advertisers to believe they are purchasing inventory on a mundane blog, while they are actually purchasing inventory on a site full of ad slots with no actual content. 

This first domain in the ring includes a piece of code in the site’s HTML that instructs search engines not to crawl the site:

Example of code for the entry point in the ring
Source: HUMAN Satori Threat Intelligence Team

Notice the “<meta name=“robots”>” code above. That code tells search engines neither to index the site nor to follow any links found on the page.

From here, that first domain in the ring redirects to a small page (the .asp page in the screenshot above) built specifically to remove referrer information from the headers:

Example of referrer removal step
Source: HUMAN Satori Threat Intelligence Team

The code above does two things: creates a link to the domain’s home page (the “a id” snippet), and runs a very short javascript segment that clicks on this new link as soon as it’s loaded (the “script” snippet). That click resets the referrer information from the previous domain to the .asp page, making the referral an internal link. Removing the referrer information is a key step for the threat actors in covering their tracks, removing information that would be helpful to researchers attempting to reverse engineer the operation and obfuscating the relationship between the Merry-Go-Round domains in the rings as well as the relationship between the domains triggering the pop-unders and the Merry-Go-Round domains.

From an IVT perspective, Merry-Go-Round falls into three categories:

  • Automated Browsing. The automatic redirection element of the operation is a textbook example of automated browsing.
  • False Representation. Removing/obscuring the referrer information makes ad campaign reporting inaccurate for advertisers, agencies, and their advertising technology partners, and ad cloaking misrepresents campaign performance.
  • Misleading User Interface. Loading ads in pop-unders and the iFrame/DIV tag overlays (hijacking user clicks) are indications of misleading user interface SIVT. 

Next Steps

The domains in both rings of the Merry-Go-Round operation are listed below in the Appendix. The HUMAN Satori Threat Intelligence Team is actively capturing new domains added to both rings.

Customers partnering with HUMAN for ad fraud defense are protected from the impacts of the ongoing Merry-Go-Round operation.


Appendix: List of Merry-Go-Round Domains

Merry-Go-Round operates on two rings of domains:

Ring One:

Ring Two: