Skip links

Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars

Scammers using Google Ads, stolen blog articles, and a “popunder” ad scheme on adult websites pulled in more than $275,000 a day by generating millions of ad impressions every month.

So say researchers at cybersecurity vendor Malwarebytes, who assert the fraudsters were able to use people visiting high-traffic adult websites to generate the ad impressions and money even if those individuals never saw any of the ads.

That’s where the popunder advertisements came in. Highly cost-efficient popunders are similar to pop-up ads in that they launch when a user clicks on a website. While pop-up ads appear on the main page being viewed by the user, popunders are displayed behind the main page.

The user will see the popunder page and its ads after closing the browser tab used to view a site. Popunder publishers’ goal is to populate the landing page with interesting content to capture the user’s attention and keep the ad impressions flowing.

It’s a common and legitimate online advertising model that has been around for at least a decade. According to Malwarebytes, common popunder content for the adult industry includes ads for online dating services, adult webcams, or other adult portals.

Given the high traffic of many adult websites, it’s no secret that they are attractive to popunder ad developers.

In this case, the popunder page looked like a legitimate page showing how-to blogs and homeowner tips scraped and stolen from other sites. However, overlayed atop that page was an iframe promoting another adult site that covered the popunder page and kept it out of sight, Jerome Segura, senior director of threat intelligence at Malwarebytes, wrote in a report.

“Not only that, but the page also refreshes its content at regular intervals, to serve a new article, still hidden behind with the XXX overlay to further monetize on Google Ads,” Segura wrote. “This happens without the user’s knowledge since the tab was launched as a popunder.”

Once on the Txxx iframe page, the user may click on a video or thumbnail, which triggers a real click on a Google Ad on the popunder page underneath, he wrote. On average, there were about five Google Ads per popunder page.

But clicking on the ad is not the only way for the scammers to make money. Simply loading an ad on the popunder page creates ad impressions that networks also will pay for. The user doesn’t ever have to see the popunder page for the scammers to get paid.

A tell that this was a fraudulent campaign was the presence of Google Ads on the iframe page, according to Segura. Google policy does not allow Google Ads on websites showing adult content.

“It turned out to be a clever way to hide a bogus blog loaded with many more ads, most of them hidden behind a fullscreen pornographic iframe,” he wrote. “As unaware visitors trigger the popunder landing page and continue browsing in their other tab, the decoy website is constantly refreshing with new content and of course new ads, generating millions of ad impressions per month.”

Pulling numbers for the decoy website from the Similarweb traffic analyst site, Malwarebytes found almost 300,000 visits per month and more than 50 pages viewed per visit. The average duration time for a visitor to the site was less than eight minutes.

“How can a human actually browse and read 51 articles in an average of seven minutes and 45 seconds?” he asked. “The answer is simple: they don’t. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads.”

The popunder ad generated a lot of money for the fraudsters. The average cost per thousand impressions (CMP) can be as low as five cents. Malwarebytes said that in this campaign, the page generated an average of 35 ad impressions a minute. Multiplying the almost 282,000 monthly visits and average duration, total ad impressions were more than 76.4 million a month at a CMP of $3.50.

It’s unclear who the scammers behind the fraud were, but Segura wrote that language found in the obfuscated code indicated they likely are Russian.

Malwarebytes notified Google about the fraudulent ad campaign, which the search giant has since shut down. ®

Source