An inside look at Mangago’s ad fraud scheme

June 16, 2021 | 7 minute read
Tamir Huber
Senior Cybersecurity Researcher, Oracle Moat
Yuval Tanny
Senior Data Science Manager, Oracle Moat
Text Size 100%:

Ad fraud goes beyond bots watching ads. Today, fraudsters are coming up with more sophisticated schemes to steal from advertisers. To illustrate this point, we’ll explain how mangago[.]me—an anime site with adult and often pirated content—made advertisers believe they were showing ads on brand-safe lifestyle magazine sites.

Mangago seems to have deployed context spoofing, which uses redirected domain and page content to increase the cost per thousand impressions (CPM) value of their ad placements.

Mangago’s exposed scheme reflects increasing ad fraud sophistication and highlights the risk of using a single category to determine if a site is valid, appropriate, and safe. In this case, Mangago seems to be taking advantage of advertisers that rely on a page URL to make bidding decisions and cannot identify context spoofing easily. Oracle Moat identified this ad fraud scheme and is publicly sharing this information to help mitigate ad fraud and to reinforce digital advertising best practices.

An ad fraud setup like Mangago’s scheme

The operation uses five domains. This includes one “real” site, three “fake” sites, and one domain for image storage:

  • Mangago[.]me: The “real” website that provides free manga comics
  • mnggo[.]net: The fake lifestyle magazine titled “newfashion”
  • lady-first[.]me: The fake lifestyle magazine titled “ladyfirst”
  • fashionlib[.]net: The fake lifestyle magazine titled “lifestyle”
  • mangapicgallery[.]com: The domain used to store the manga comics images

Mangago is the real manga website. When mangago[.]me visitors click on an image or button to begin reading what they think are free comics, they are automatically redirected to one of the fake lifestyle sites.

For site visitors, it looks like they are still on mangago[.]me. But they are actually on a fake lifestyle URL with ads loading. Any automatic context recognition using the URL or page content will fool advertisers into thinking people are viewing their ads on legitimate lifestyle magazines.

Find out everything advertisers need to know about ad fraud and connected TV.

The ad fraud framework

Let’s break down how some ad fraudsters do it. Each of the fake sites has two types of pages. First, the seemingly legitimate lifestyle articles usually have “/article/” in their URLs. If a reader tries to access one of these pages, they will see a lifestyle article that doesn’t raise suspicion at first glance.

The second page type has URLs related to the scheme. Usually, these pages contain “/c/” and are in the format of https://www.mnggo[.]net/c/31989/412733/1/, which loads a comic and changes the URL to seem like an article page.

The fake content and articles are duplicated across all three fake domains. By simply changing the domain and keeping the URL suffix, we get the same article on each site. And no bots are used in this process (see Figure 1).

Figure 1: Oracle Moat technical Mangago ad fraud details
Figure 1: Fake content is duplicated across all three fake domains.

 

Behind the scenes

A comic reader browsing on mangago[.]me clicks on “Start Reading” to check out an online comic. At this point a new tab opens on mangago[.]me domain and gets HTTP 301 “Moved Permanently” response. The browser then automatically redirects to the “location” specified in the response. This redirection is done only when the server gets the request with the “referrer: https://www.mangago[.]me/” HTTP header.

The server randomly redirects a visitor to one of the three fake websites. Then, the browser requests the new page with comic content, and the server returns a hardcoded JavaScript variable, named “article_link,” which spoofs the navigation bar URL. Using History API, the client code switches the original URL to that “article_link.” For example, see Figure 2:

Figure 2: Oracle Moat technical Mangago ad fraud details
Figure 2: The beginning of the redirect to a fake site.

 

The ability to change the page URL without reloading new content is enabled by the History API and is supported by all major browsers. It is a key feature for enabling single-page applications on the web.

Like many other legitimate browser features that enable the richness and diversity of the Internet as we know it, the History API is a double-edged sword that can also cause harm and defraud advertisers. In this case, due to the History API, one cannot trust the path part of the URL to represent the true context of an ad.

The same comic is available on all three sites with the same content. The comic images are stored on a fifth domain named mangapicgallery[.]com. The image links are encrypted and stored on the client side, and are decrypted after the page loads.

Figure 3: High-level overview of Mangago’s site spoofing process.
Figure 3: High-level overview of Mangago’s site spoofing process.

 

Oracle Moat ad fraud re-direction and context spoofing caption.
Figure 4:  Oracle Moat captures ad fraud re-direction and context spoofing in action.

 

The ads are being served using the header bidding prebid.js framework, which enables the browser choosing the ad with the highest bidding price across multiple partners. As we can see in the prebid requests, the URLs in the requests are the spoofed ones, tricking the ecosystem into believing that the ad will be served on a lifestyle blog rather than on mangago[.]me.

Oracle Moat ad fraud technical details
Figure 5: Pre-bid JS header bidding setup.

 

Figure 6: A command sending a cash-out url to Prebid.js.

 

 

 

 

Learn the history of online ad fraud and what you can do about it with this blog post.

Domain vs. context ad spoofing

A common ad fraud scheme is misrepresenting ad impressions through domain spoofing. This is when a seller claims to have ads for sale on, say, Publisher X—and then uses a bot to generate views of this ad slot with the faked domain. These ads don’t appear on the real domain at all, and the fraudster pockets the profits of the faked impressions.

This is possible because bots can spoof their domain information, and the programmatic supply chain is vulnerable to this type of attack. Advanced bot detection, ads.txt and the SupplyChain object have done a great deal to make this sort of attack more difficult. But until we have widespread adoption of ads.cert the possibility of domain spoofing persists.

For context spoofing, the domains are all real and, in this case, owned by the same operator. The viewers are humans and not bots. Ads.txt, SupplyChain object, and even a cryptographic signature thru ads.cert do not stop this type of ad fraud because the lifestyle URL is real and is verifiable. As an example, lady-first[.]me has a seemingly legitimate site with a valid ads.txt file.

So unlike other "domain spoofing" bots we’ve uncovered, context spoofing does not require bots to be detected, and the inventory is not spoofed.

Fighting ad fraud

The online advertising ecosystem is complex, and every piece of information used to bid on and purchase digital ads is at risk for spoofing and fraud. Oracle Moat provides advertisers with sophisticated invalid traffic (IVT) detection to help protect their digital investments from ad fraud schemes—ranging from automated bots to domain misdirection and context spoofing.

And the Media Rating Council (MRC) has accredited our detection and filtration methodology for desktop, mobile web and, mobile in-app environments.

We continue to support the adoption of standards including ads.cert to address gaps in trust in the ads ecosystem. Additionally, we also stress the importance of independent, accredited third-party measurement as an additional safeguard.


Read more about the mangago[.]me ad fraud scheme.

Find out more about Oracle Moat’s solutions for ad campaign measurement, IVT, and more.

Tamir Huber

Senior Cybersecurity Researcher, Oracle Moat

Tamir Huber is a cyber security researcher and developer at Oracle Moat, and he specializes in bot detection and anti-fraud.

Yuval Tanny

Senior Data Science Manager, Oracle Moat

Yuval Tanny leads the Oracle Moat IVT and ad fraud research group. He is passionate about integrating data science and technical security research methods for combating fraud.


Previous Post

When ad fraud is also a brand safety nightmare: Mangago case study

Sam Mansour | 3 min read

Next Post


On the cutting edge of data science and careers in advertising with Audrey Rusch

Audrey Rusch | 4 min read