January 18, 2023 By Jonathan Reed 4 min read

An advertising fraud scheme that utilized Google Ads and “pop-unders” on adult websites generated estimated millions of ad impressions on stolen content. The campaign was reported by Malwarebytes on December 20, and the scam raked in an estimated $275,000 per month for the perpetrators. Alerted to the scam, Google shut down the fraudulent activity for violating the company’s policies prohibiting the use of Google Ads on adult sites.

A pop-under is a type of advertisement that appears behind an open web browser window rather than in front of it like a traditional popup ad. This means that the ad will only be visible to the user once they close the main browser window. Pop-under ads are non-intrusive. They do not obstruct the user’s view of the content on the main browser window. Instead, pop-unders open in a separate window that remains hidden until the user closes the active window.

Multiple layers of deception

We still do not know who perpetrated this particular pop-under scam. However, Malwarebytes gathered evidence that suggests that the perpetrator may be of Russian origin. The actor set up multiple advertising campaigns on high-traffic adult sites using cheap pop-under ads. These types of ads are popular on legitimate online dating sites and other adult content portals.

In this case, the scammer created fake blogs and news portals (with scraped content from other websites) and used them as pop-under advertisements. And instead of displaying the content of the fake page, they overlaid an iframe promoting the TXXX adult site.

To collect revenue from these pop-unders, the perpetrators used a Google Ad scheme. One ad was embedded at the bottom of the adult content page, which goes against Google’s advertising policies. But the real money came from the fake blog hidden as a pop-under behind the iframe.

Source: Malwarebytes

Stolen ad clicks and impressions

Malicious actors created the fraudulent iframe using complex coding techniques designed to evade Google’s fraud detection algorithms. The iframe points to txxx.tube, a legitimate adult content site, and imported adult content from there. A click anywhere on the iframe page (such as selecting a thumbnail to watch a video) triggers a real click on a Google Ad embedded in the fake news page. And since the fake page is a pop-under, it’s not visible.

The background content consists of articles, tutorials and guides from live websites that contain stolen content. Also, the site auto-refreshes every nine seconds with a new article and a new set of ads. This generates multiple fraudulent ad impressions if the page remains open for a few minutes.

According to Malwarebytes, if a user clicks on the fake blog browser tab, the malware presents them with what appears to be another adult website due to the presence of another overlaid iframe. If the user clicks anywhere on the page, they will inadvertently trigger a real click on a Google Ad instead of accessing the content they intended to view. This technique is referred to as clickjacking.

Metrics from Similarweb indicate that a single fraudulent pop-under site receives approximately 300,000 visits per month, with an average duration of 7 minutes and 45 seconds. Based on this data, Malwarebytes estimates that the pages generate 76 million ad impressions per month and revenue of approximately $276,000 per month (based on a cost per thousand impressions, or CPM, of $3.50). This estimate is specific to one particular site, and additional sites may be involved in the fraudulent campaign.

Scraped content

As per Malwarebytes, the fraudster behind this scheme has employed a clever trick to deceive Google. They hide real and readable — but scraped — content, such as tutorials on fixing household problems, beneath an iframe displaying explicit content. The fake page, packed with Google Ads, will refresh its content at regular intervals. New articles continuously rotate, hidden behind the overlay of explicit material. This all takes place without the user’s knowledge.

It’s worth noting that this is not just a single page. Instead, it’s a full blog featuring numerous articles that malicious actors scraped from other websites with many topics, such as:

  • 10-home-heating-tips
  • 10-ways-to-style-your-kitchen-countertops-like-a-pro
  • 4-main-benefits-of-installing-gutter-protection-systems
  • 8-most-common-roof-leak-causes-in-california
  • before-you-plan-to-build-your-own-house-work-out-your-budget
  • build-your-own-home-in-3-days
  • build-your-own-home-in-the-country
  • does-your-home-in-california-need-roof-ventilation
  • homeowner-s-guide-to-the-best-outdoor-lighting
  • how-much-does-a-mortgage-to-build-your-own-house-cost
  • how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
  • how-snow-and-ice-impact-your-roof
  • how-solar-panels-can-make-your-roof-last-longer
  • how-to-adhere-drywall-to-a-concrete-block
  • how-to-build-modern-dining-room-in-california

Source: Malwarebytes

Detection and prevention

Fraudsters are always looking for ways to make easy money online. One tactic they frequently use is taking advantage of the high volume of traffic and low costs associated with adult content. Click fraud schemes may also recruit click farms or bots to do the ad clicking for them.

In this particular scam, the users are not bots but rather human beings looking for adult content. These users have authentic browser settings and networking attributes. All this makes it difficult to detect the traffic since it appears legitimate.

Malwarebytes stated that if it weren’t for the Google Ad displayed at the bottom of the page (all other ads were hidden behind the TXXX iframe), they likely would not have detected this pop-under scheme. Despite the use of web traffic analysis tools, it can be difficult to detect the presence of an iframe when all other content appears legitimate. For example, IP exclusion lists wouldn’t work to deter this threat since traffic comes from legitimate users, not bots or click farms.

One way to avoid this kind of scam would be to only run retargeted ads that are only visible to people who have visited your website in the past. But that would exclude the use of Google Ads to attract new customers.

If website owners regularly checked to see if their content has been scraped, that would also help deter this kind of attack. But relying on a third party would not likely improve your protection significantly. Perhaps the only reasonable method would be to analyze your ad spend versus the expected revenue increase. If there’s a large gap, you might be a victim of a pop-unders scam.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today