An inside look at Mangago’s ad fraud scheme

Fraudsters today are inventing more sophisticated ways to steal advertisers’ money. This is illustrated by mangago. Advertisers were misled by a mangago[.]me site that featured adult and sometimes pirated content to believe they were displaying ads on lifestyle magazines.

Mangago appears to have used context spoofing. This involves redirecting domain and page content to raise the cost per 1,000 impressions (CPM), the value of their ads.

Mangago’s scheme is a sign of increasing sophistication in ad fraud and highlights the danger of using one category to determine whether a site can be trusted, legal, and appropriate. Mangago appears to have been exploiting advertisers who rely on page URLs to make bidding decisions. Oracle Moat discovered this ad fraud scheme and is now sharing it publicly to help reduce ad fraud and reinforce digital advertising best practices.

ReadMangago App Review And Guide

A scheme of ad fraud like Mangago’s

Five domains are used in the operation. The operation uses five domains: one for “real” sites, three fake sites, and one for image storage.

  • Mangago[. Mangago[.]me: A “real” website offering free manga comics
  • mnggo[. mnggo[.]net: A fake lifestyle magazine called “newfashion”.
  • Lady-first[. Lady-first[.
  • fashionlib[. fashionlib[.]net: A fake lifestyle magazine called “lifestyle”.
  • mangapicgallery[. mangapicgallery[.

Mangago is the original manga website. Mangago[. Click on the image to start reading mangago[.

It looks to site visitors that they are still on mangago[.]me. They are actually loading ads on a fake lifestyle URL. Advertisers will be fooled into believing that people are reading their ads in legitimate lifestyle magazines by using automatic context recognition.

Ad fraud framework

Let’s see how ad fraudsters do this. 2 types of pages are on each fake website. The first is that the URLs for seemingly genuine lifestyle articles often include “/article/”. A reader will not be suspicious if they try to access these pages.

URLs are provided for the second type of page. These pages usually contain the “/c/” character and are formatted as https://www.mnggo[. ]net/c/31989/412733/1/, which loads a comic and changes the URL to seem like an article page.

All three fake domains have fake content and articles. We can get the exact same article from each site by simply changing the URL suffix and the domain. This process is completely automated.


Behind the scenes

A comic reader browsing on mangago[. To check out an online comic, ] I click “Start Reading”. A new tab opens at mangago[. ]me domain receives the HTTP 301 “Moved permanently” response. The browser will then redirect to the “location”, as specified in the response. This redirection is done only when the server gets the request with the “referrer: https://www.mangago[. The HTTP header “me/” is required.

A random redirection is made by the server to redirect a visitor to one or more of three fake websites. The browser then requests the comic-themed page. The server returns a JavaScript variable named “article_link”, which deceives the URL of the navigation bar. The client code uses History API to switch the URL to the “article_link”.


History API supports all major browsers and allows you to modify the URL of a page without having to reload new content. This is an important feature to enable single-page web applications.

The History API, like many legitimate browser features that allow the richness and diversity that is the Internet as it exists today, can be a double-edged sword. It can also defraud and cause harm to advertisers. The History API makes it impossible to trust that the URL’s path portion represents the context of an advertisement.

All three sites have the same comic. The comic images are stored on a fifth domain named mangapicgallery[.]com. After the page loads, the image links are encrypted on the client’s side and decrypted when the page loads.

Mangago’s site

The header bidding prebid.js framework is used to serve the ads. This allows the browser to choose the ad that has the highest bid price from multiple partners. The prebid requests show that the URLs are spoofed. This tricked the ecosystem into thinking the ad would be served on a lifestyle website rather than mangago.

mangago JS header

Ad spoofing: Domain vs. Context

Domain spoofing is a common way to deceive advertisers. A seller may claim to have ads available on Publisher X, and then use a bot to generate views for the fake domain. These fake impressions are a scam because the ads do not appear on the actual domain.

Bots can spoof domain information to make this possible, making the programmatic supply chain vulnerable. This type of attack is made more difficult by advanced bot detection tools like ads.txt or the SupplyChain object. However, until ads. cert is widely adopted, the possibility of domain spoofing will continue to exist.

The domains can be used to context-spoof and are all real and owned by the same operator. The viewers are not bots but humans. This type of fraud is not stopped by ads.txt or SupplyChain objects. Lady-first[.] is one example. I have an allegedly legitimate website with valid ads.txt files.

Contrary to other bots that “domain spoof” domains, context spoofing doesn’t require bots being detected and the inventory isn’t spoofed.

Combating ad fraud

Online advertising is complicated. Every piece of information used in order to buy and bid on digital ads is vulnerable to fraud and spoofing. Oracle Moat offers sophisticated invalid traffic detection (IVT), which helps advertisers protect their digital investments against ad fraud schemes. This includes automated bots, domain misdirection, and context spoofing.

The Media Rating Council (MRC), has also accredited our detection-and-filtration methodology for desktop, web, and mobile in-app environments.

To address trust gaps in the ads ecosystem, we support the continued adoption of standards. cert. We also emphasize the importance of third-party, independent measurement as an additional safeguard.

Leave a Comment