Scammers using Google Ads, stolen blog articles, and a “popunder” ad scheme on adult sites have made more than $275,000 each day by generating millions of ad impressions each month.
So say researchers at cybersecurity provider Malwarebytes, who claim the scammers were able to use people who visited high-traffic adult websites to generate ad impressions and money, even if those people never saw any of the ads.
This is where pop-under ads came into play. Highly cost-effective pop-unders are similar to pop-up ads in that they launch when a user clicks on a website. While popup ads appear on the main page viewed by the user, popunders appear behind the main page.
The user sees the popunder page and its ads after closing the browser tab used to view a website. The goal of popunder publishers is to fill the landing page with interesting content in order to grab user’s attention and maintain ad impressions.
It’s a common and legitimate online advertising model that has been around for at least a decade. According to Malwarebytes, common pop-under content for the adult industry includes ads for online dating services, adult webcams, or other adult portals.
Given the high traffic volume of many adult sites, it’s no secret that they are attractive to popunder ad developers.
In this case, the popunder page looked like a legitimate page showing how-to blogs and homeowner tips scraped and stolen from other websites. However, an iframe was placed over that page promoting another adult website, which covers the popunder page and keeps it out of sight, Jerome Segura, senior director of threat intelligence at Malwarebytes, wrote in a report.
“Not only that, the site also updates its content on a regular basis to deliver a new article still hidden with the XXX overlay behind it to keep making money from Google Ads,” Segura wrote. “This is happening without the user’s knowledge as the tab was launched as a popunder.”
On Txxx’s iframe page, the user can click on a video or thumbnail, which triggers a real click on a Google ad on the popunder page below, he wrote. On average, there were about five Google Ads per popunder page.
But clicking on the ad is not the only way for the scammers to make money. Simply loading an ad on the popunder page creates ad impressions that networks pay for. The user never has to see the popunder page for the scammers to get paid.
According to Segura, an indication that the campaign was fraudulent was the presence of Google Ads on the iFrame page. Google policy doesn’t allow Google Ads on sites with adult content.
“It turned out to be a clever technique to hide a fake blog with many more ads, most of them hidden behind a full-screen pornographic iframe,” he wrote. “As unconscious visitors trigger the popunder landing page and continue browsing in their other tab, the Decoy site is constantly updated with new content and of course new ads, generating millions of ad impressions per month.”
Malwarebytes pulled numbers for the Decoy website from traffic analyst site Similarweb and found almost 300,000 visits per month and more than 50 pages viewed per visit. The average time spent by a visitor on the website was less than eight minutes.
“How can a human actually search and read 51 articles in an average of seven minutes and 45 seconds?” he asked. “The answer is simple: they don’t. The user is most likely busy minding their own business on the other active tab while the popunder page keeps loading new articles along with Google Ads.”
The pop-under ad made the scammers a lot of money. The average cost per thousand impressions (CMP) can be as high as five cents. Malwarebytes said the site generated an average of 35 ad impressions per minute in this campaign. Multiplying the nearly 282,000 monthly visits and the average duration, the total number of ad impressions was more than 76.4 million per month at a CMP of $3.50.
It’s unclear who the scammers were behind the scam, but Segura wrote that the language found in the obfuscated code suggests they are likely Russians.
Malwarebytes notified Google about the deceptive ad campaign, which the search giant has since shut down. ®
https://www.theregister.com/2022/12/22/google_ad_popunder_scam/ Deceptive Google ‘popunder’ ad campaign raised millions of dollars • The Register