A massive ad fraud campaign using Google Ads and “popunders” on adult sites is estimated to have generated millions of ad impressions on stolen items, earning fraudsters around $275,000 a month.
The campaign was discovered by Malwarebytes, which reported it to Google and removed it for violating the rules prohibiting Google Ads on adult sites.
Although the operator of the campaign is unknown, evidence collected by Malwarebytes suggests that the actor is likely of Russian origin.
Popunders and Google Ads
The scammer set up advertising campaigns on adult sites receiving massive traffic using “popunder” ads.
These ads are incredibly cheap and open as “pop-ups” behind the open browser window, so the user won’t see them until they close or move the main browser window. Navigator.
Typically, “popunders” are used by online dating services, adult webcams, and other adult content portals.
In this case, the scammer creates legitimate-looking news portals with content pulled from other sites, which are used as “popunder” advertisements.
However, instead of displaying the content of the page, they overlay an iframe that promotes an adult site “TXXX”.
To generate advertising revenue from these popunders, the actors also embed a Google ad at the bottom of the page, in violation of Google’s advertising policies, as shown below.
The overlay is achieved by a dynamically constructed iframe that uses heavy code obfuscation to evade automatic analysis by Google’s fraud detection bots. The iframe points to txxx.tube, a legit adult content site, which it uses to import adult content.
“Once a user has focused on the tab (it was a popunder), all of a sudden the page rotation stops and what the user sees is what looks like another site Web for adults (the iframe)” explains Malwarebytes.
“A click anywhere on the page (the user might want to select one of the thumbnails and watch a specific video) triggers an actual click on a Google ad instead.”
Articles loaded in the background (below the adult content iframe) are stolen from legitimate sites, mostly tutorials, articles and guides.
These pages contained an average of five Google Ads, sometimes even including video ads that generate higher revenue.
The fraudster configures the background content to refresh with a new article and a new set of ads every nine seconds. Thus, if the page remains open for a few minutes, several fraudulent ad impressions are generated.
Similarweb metrics report that the fraudulent page generates around 300,000 visits per month with an average duration of 7 minutes and 45 seconds.
Based on this, Malwarebytes estimated ad impressions at 76 million per month and revenue at $276,000/month (based on a CPM of $3.50).
This number is an estimate for the site in question, and as Malwarebytes explains, there are probably more.