Scammers used Google Ads, stolen blog articles, and a “popunder ad scheme” on adult websites to make more than $275,000 daily. They generated millions of impressions each month.
Malwarebytes cybersecurity vendor claims that the fraudsters could use high-traffic adult websites to generate ad impressions.
Popunders, which are highly cost-effective and launch automatically when a user clicks on the website they link to, are very similar to popup ads.
Popunders appear behind the main page, while popup ads are visible on the page being viewed. After closing the browser tab to view a site, the user can see the popunder page and its ads.
Popunder publishers aim to fill the landing page with interesting content to grab the user’s interest and keep the impressions flowing.
This legitimate and common online advertising model has been around for at least a decade. The most common popunder content in the adult industry is ads for adult webcams and online dating services.
It’s not hard to see why they are so attractive to popunder ad designers, given the sheer volume of traffic on many adult websites. The popunder page appeared to be legitimate, featuring homeowner tips and how-to blogs.
Jerome Segura (senior director of threat intelligence at Malwarebytes) wrote that the popunder page had an iframe that promoted another adult website.
Segura explained that the page refreshes its contents regularly to serve a new article. This article is still hidden behind the XXX overlay to monetize Google Ads further.
Since the tab was created as a popunder, this happens without the user’s awareness. Users can click on thumbnails or videos once they are on the Txxx page. This triggers a click on a Google Ad under the popunder page. There were an average of five Google Ads per popunder webpage.
Scammers can also make money by clicking on an ad. By placing an ad on the popunder webpage, you can get impressions that other networks will also pay for. For scammers to make a profit, the user can visit the popunder page without visiting the popunder page.
Segura said that the presence of Google Ads in the iframe page indicated that this campaign was fraudulent. Google policy prohibits Google Ads from websites with adult content.
He wrote, “It turned out to be a clever way to hide a bogus blog loaded with many more ads, most of them hidden behind a fullscreen pornographic iframe.”
“As unaware visitors trigger the popunder landing page and continue browsing in their other tab, the decoy website is constantly refreshing with new content and of course new ads, generating millions of ad impressions per month.”
Malwarebytes pulled numbers from the Similarweb traffic analysis site to determine the number of visits to the decoy website.
They found that there were almost 300,000 visits per day, and more than 50 pages were viewed on each visit. Visitors stayed on the site for an average of eight minutes.
“How can a human actually browse and read 51 articles in an average of seven minutes and 45 seconds?” He asked.
“The answer is simple: they don’t. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads.”
The fraudsters made a lot of money from the popunder ad. CMP can cost as little as 5 cents per 1000 impressions.
Malwarebytes stated that the campaign generated, on average, 35 ad impressions per minute. Multiplying the nearly 282,000 monthly visits, the average duration and total ad impressions generated by this campaign were more than 76.4 million per month at $3.50.
Segura stated that the language in the obscured code suggested they were Russian.