Google logo over the world

A massive advertising fraud campaign using Google Ads and ‘popunders’ on adult sites is estimated to have generated millions of ad impressions on stolen articles, making the fraudsters an estimated $275k per month.

The campaign was discovered by Malwarebytes, who reported it to Google and took it down for violating policies forbidding Google Ads on adult sites.

While the campaign’s operator is unknown, evidence collected by Malwarebytes suggests the actor is likely of Russian origin.

‘Popunders’ and Google Ads

The fraudster set up advertising campaigns on adult sites receiving massive traffic using ‘popunder’ ads.

These advertisements are incredibly cheap and open as ‘pop-ups’ behind the open browser window, so the user won’t see them until they close or move the main browser window.

Typically, ‘popunders’ are used by online dating services, adult webcams, and other adult content portals.

In this case, the fraudster creates legitimate-looking news portals with scraped content from other sites, which are used as ‘popunder’ advertisements.

However, instead of showing the page’s content, they overlay an iframe that promotes a ‘TXXX’ adult site.

To generate ad revenue from these popunders, the actors also embed a Google Ad at the bottom of the page, violating Google’s advertising policies, as shown below.

Fraud site exposing a Google Ad at the bottom
Fraud site exposed by a Google Ad at the bottom (Malwarebytes)

The overlaying is achieved by a dynamically built iframe that uses heavy code obfuscation to evade automatic analysis by Google’s fraud detection bots. The iframe points to txxx.tube, a legitimate adult content site, which it uses to import adult content.

The iframe that points to txxx.tube
The iframe that points to txxx.tube (Malwarebytes)

“Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe),” explains Malwarebytes.

“A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead.”

Article impressions

The articles loaded in the background (under the adult content iframe) are stolen from legitimate sites, primarily tutorials, articles, and guides.

These pages contained an average of five Google Ads, sometimes even including video ads that generate more substantial revenue.

Article under the iframe
Article under the iframe (Malwarebytes)

The fraudster sets the background content to refresh with a new article and a fresh set of ads every nine seconds, so if the page stays open for a couple of minutes, multiple fraudulent ad impressions are generated.

Similarweb metrics report that the fraudulent page generates roughly 300,000 visits per month with an average duration of 7 minutes and 45 seconds.

Based on that, Malwarebytes estimated the ad impressions to be 76 million per month and the revenue to be $276k/month (based on CPM of $3.50).

This number is an estimation for the particular site, and as Malwarebytes explains, there likely are more.

Source: www.bleepingcomputer.com