January 18, 2023 By Jonathan Reed 4 min read

An advertising fraud scheme that utilized Google Ads and “pop-unders” on adult websites generated estimated millions of ad impressions on stolen content. The campaign was reported by Malwarebytes on December 20, and the scam raked in an estimated $275,000 per month for the perpetrators. Alerted to the scam, Google shut down the fraudulent activity for violating the company’s policies prohibiting the use of Google Ads on adult sites.

A pop-under is a type of advertisement that appears behind an open web browser window rather than in front of it like a traditional popup ad. This means that the ad will only be visible to the user once they close the main browser window. Pop-under ads are non-intrusive. They do not obstruct the user’s view of the content on the main browser window. Instead, pop-unders open in a separate window that remains hidden until the user closes the active window.

Multiple layers of deception

We still do not know who perpetrated this particular pop-under scam. However, Malwarebytes gathered evidence that suggests that the perpetrator may be of Russian origin. The actor set up multiple advertising campaigns on high-traffic adult sites using cheap pop-under ads. These types of ads are popular on legitimate online dating sites and other adult content portals.

In this case, the scammer created fake blogs and news portals (with scraped content from other websites) and used them as pop-under advertisements. And instead of displaying the content of the fake page, they overlaid an iframe promoting the TXXX adult site.

To collect revenue from these pop-unders, the perpetrators used a Google Ad scheme. One ad was embedded at the bottom of the adult content page, which goes against Google’s advertising policies. But the real money came from the fake blog hidden as a pop-under behind the iframe.

Source: Malwarebytes

Stolen ad clicks and impressions

Malicious actors created the fraudulent iframe using complex coding techniques designed to evade Google’s fraud detection algorithms. The iframe points to txxx.tube, a legitimate adult content site, and imported adult content from there. A click anywhere on the iframe page (such as selecting a thumbnail to watch a video) triggers a real click on a Google Ad embedded in the fake news page. And since the fake page is a pop-under, it’s not visible.

The background content consists of articles, tutorials and guides from live websites that contain stolen content. Also, the site auto-refreshes every nine seconds with a new article and a new set of ads. This generates multiple fraudulent ad impressions if the page remains open for a few minutes.

According to Malwarebytes, if a user clicks on the fake blog browser tab, the malware presents them with what appears to be another adult website due to the presence of another overlaid iframe. If the user clicks anywhere on the page, they will inadvertently trigger a real click on a Google Ad instead of accessing the content they intended to view. This technique is referred to as clickjacking.

Metrics from Similarweb indicate that a single fraudulent pop-under site receives approximately 300,000 visits per month, with an average duration of 7 minutes and 45 seconds. Based on this data, Malwarebytes estimates that the pages generate 76 million ad impressions per month and revenue of approximately $276,000 per month (based on a cost per thousand impressions, or CPM, of $3.50). This estimate is specific to one particular site, and additional sites may be involved in the fraudulent campaign.

Scraped content

As per Malwarebytes, the fraudster behind this scheme has employed a clever trick to deceive Google. They hide real and readable — but scraped — content, such as tutorials on fixing household problems, beneath an iframe displaying explicit content. The fake page, packed with Google Ads, will refresh its content at regular intervals. New articles continuously rotate, hidden behind the overlay of explicit material. This all takes place without the user’s knowledge.

It’s worth noting that this is not just a single page. Instead, it’s a full blog featuring numerous articles that malicious actors scraped from other websites with many topics, such as:

  • 10-home-heating-tips
  • 10-ways-to-style-your-kitchen-countertops-like-a-pro
  • 4-main-benefits-of-installing-gutter-protection-systems
  • 8-most-common-roof-leak-causes-in-california
  • before-you-plan-to-build-your-own-house-work-out-your-budget
  • build-your-own-home-in-3-days
  • build-your-own-home-in-the-country
  • does-your-home-in-california-need-roof-ventilation
  • homeowner-s-guide-to-the-best-outdoor-lighting
  • how-much-does-a-mortgage-to-build-your-own-house-cost
  • how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
  • how-snow-and-ice-impact-your-roof
  • how-solar-panels-can-make-your-roof-last-longer
  • how-to-adhere-drywall-to-a-concrete-block
  • how-to-build-modern-dining-room-in-california

Source: Malwarebytes

Detection and prevention

Fraudsters are always looking for ways to make easy money online. One tactic they frequently use is taking advantage of the high volume of traffic and low costs associated with adult content. Click fraud schemes may also recruit click farms or bots to do the ad clicking for them.

In this particular scam, the users are not bots but rather human beings looking for adult content. These users have authentic browser settings and networking attributes. All this makes it difficult to detect the traffic since it appears legitimate.

Malwarebytes stated that if it weren’t for the Google Ad displayed at the bottom of the page (all other ads were hidden behind the TXXX iframe), they likely would not have detected this pop-under scheme. Despite the use of web traffic analysis tools, it can be difficult to detect the presence of an iframe when all other content appears legitimate. For example, IP exclusion lists wouldn’t work to deter this threat since traffic comes from legitimate users, not bots or click farms.

One way to avoid this kind of scam would be to only run retargeted ads that are only visible to people who have visited your website in the past. But that would exclude the use of Google Ads to attract new customers.

If website owners regularly checked to see if their content has been scraped, that would also help deter this kind of attack. But relying on a third party would not likely improve your protection significantly. Perhaps the only reasonable method would be to analyze your ad spend versus the expected revenue increase. If there’s a large gap, you might be a victim of a pop-unders scam.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today