Scammers Profit from Advertisers in Operation Carousel

Researchers have uncovered two fraudulent networks that redirect hundreds of millions of online advertising to pop-up windows on dubious sites on a daily basis. Known as “Merry-Go-ROUND” or operation “Carousel,” these networks were identified by Human Security in a report released on May 30. The networks earned their names due to a characteristic method of cyclic advertising displayed on a limited number of domains.

At its peak, the Carousel displayed 782 million advertisements daily. Despite the ongoing efforts of law enforcement, the operation continues to function and now shows an average of 200 million ads per day. This generates substantial income for the attackers, similar to that of legitimate advertisers.

Will Herbig, Director of Fraud at Human Security, expressed awe at the scale and profitability of this fraudulent operation. He highlighted the immense impact of the Carousel, noting that the daily advertising load is equivalent to 150,000 people viewing 5,000 ads each.

The fraudulent activity conducted by the Carousel results in significant financial losses for advertising companies. The placement of online ads through intermediaries creates a disconnect between buyers and sellers, which scammers exploit to carry out their schemes.

The Carousel operates through a simple yet effective method. By placing an invisible overlay on websites featuring pirated content or adult material, any user click redirects them to a new tab while flooding the original window with numerous advertisements.

To evade detection, the Carousel employs various tactics. For instance, the initial domain shown to the user contains HTML code that prevents search engines from indexing the site or verifying the embedded links. Additionally, a JavaScript code conceals information about the referrer to obscure the connection between the Carousel’s domains and the sites initiating the cycle.

A standout feature of the Carousel is its ability to disguise itself. Suspecting advertisers who directly visit one of the Carousel’s domains are presented with a benign page. It is only through redirects from specific sites that users encounter the full extent of the Carousel’s fraudulent activities with multiple ads on the page.

Detecting and halting operations like the Carousel pose significant challenges. Advertisers can safeguard their budgets by refraining from entrusting ad placement to intermediaries. Establishing close relationships with partners enhances security and reduces the risk of falling victim to scammers.

Fortunately, end users are not directly threatened by such operations. The scams primarily serve to generate illegal profits, although unwitting users inadvertently aid the scammers in achieving their objectives. To minimize the risk of falling prey to cybercriminals, individuals are advised to utilize ad blockers in their browsers and avoid visiting suspicious websites.

/Reports, release notes, official announcements.