An advertising fraud scheme that utilized Google Ads and “pop-unders” on adult websites generated estimated millions of ad impressions on stolen content. The campaign was reported by Malwarebytes on December 20, and the scam raked in an estimated $275,000 per month for the perpetrators. Alerted to the scam, Google shut down the fraudulent activity for violating the company’s policies prohibiting the use of Google Ads on adult sites.

A pop-under is a type of advertisement that appears behind an open web browser window rather than in front of it like a traditional popup ad. This means that the ad will only be visible to the user once they close the main browser window. Pop-under ads are non-intrusive. They do not obstruct the user’s view of the content on the main browser window. Instead, pop-unders open in a separate window that remains hidden until the user closes the active window.

Multiple Layers of Deception

We still do not know who perpetrated this particular pop-under scam. However, Malwarebytes gathered evidence that suggests that the perpetrator may be of Russian origin. The actor set up multiple advertising campaigns on high-traffic adult sites using cheap pop-under ads. These types of ads are popular on legitimate online dating sites and other adult content portals.

In this case, the scammer created fake blogs and news portals (with scraped content from other websites) and used them as pop-under advertisements. And instead of displaying the content of the fake page, they overlaid an iframe promoting the TXXX adult site.

To collect revenue from these pop-unders, the perpetrators used a Google Ad scheme. One ad was embedded at the bottom of the adult content page, which goes against Google’s advertising policies. But the real money came from the fake blog hidden as a pop-under behind the iframe.

Source: Malwarebytes

Stolen Ad Clicks and Impressions

Malicious actors created the fraudulent iframe using complex coding techniques designed to evade Google’s fraud detection algorithms. The iframe points to, a legitimate adult content site, and imported adult content from there. A click anywhere on the iframe page (such as selecting a thumbnail to watch a video) triggers a real click on a Google Ad embedded in the fake news page. And since the fake page is a pop-under, it’s not visible.

The background content consists of articles, tutorials and guides from live websites that contain stolen content. Also, the site auto-refreshes every nine seconds with a new article and a new set of ads. This generates multiple fraudulent ad impressions if the page remains open for a few minutes.

According to Malwarebytes, if a user clicks on the fake blog browser tab, the malware presents them with what appears to be another adult website due to the presence of another overlaid iframe. If the user clicks anywhere on the page, they will inadvertently trigger a real click on a Google Ad instead of accessing the content they intended to view. This technique is referred to as clickjacking.

Metrics from Similarweb indicate that a single fraudulent pop-under site receives approximately 300,000 visits per month, with an average duration of 7 minutes and 45 seconds. Based on this data, Malwarebytes estimates that the pages generate 76 million ad impressions per month and revenue of approximately $276,000 per month (based on a cost per thousand impressions, or CPM, of $3.50). This estimate is specific to one particular site, and additional sites may be involved in the fraudulent campaign.

Scraped Content

As per Malwarebytes, the fraudster behind this scheme has employed a clever trick to deceive Google. They hide real and readable — but scraped — content, such as tutorials on fixing household problems, beneath an iframe displaying explicit content. The fake page, packed with Google Ads, will refresh its content at regular intervals. New articles continuously rotate, hidden behind the overlay of explicit material. This all takes place without the user’s knowledge.

It’s worth noting that this is not just a single page. Instead, it’s a full blog featuring numerous articles that malicious actors scraped from other websites with many topics, such as:

  • 10-home-heating-tips
  • 10-ways-to-style-your-kitchen-countertops-like-a-pro
  • 4-main-benefits-of-installing-gutter-protection-systems
  • 8-most-common-roof-leak-causes-in-california
  • before-you-plan-to-build-your-own-house-work-out-your-budget
  • build-your-own-home-in-3-days
  • build-your-own-home-in-the-country
  • does-your-home-in-california-need-roof-ventilation
  • homeowner-s-guide-to-the-best-outdoor-lighting
  • how-much-does-a-mortgage-to-build-your-own-house-cost
  • how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
  • how-snow-and-ice-impact-your-roof
  • how-solar-panels-can-make-your-roof-last-longer
  • how-to-adhere-drywall-to-a-concrete-block
  • how-to-build-modern-dining-room-in-california

Source: Malwarebytes

Detection and Prevention

Fraudsters are always looking for ways to make easy money online. One tactic they frequently use is taking advantage of the high volume of traffic and low costs associated with adult content. Click fraud schemes may also recruit click farms or bots to do the ad clicking for them.

In this particular scam, the users are not bots but rather human beings looking for adult content. These users have authentic browser settings and networking attributes. All this makes it difficult to detect the traffic since it appears legitimate.

Malwarebytes stated that if it weren’t for the Google Ad displayed at the bottom of the page (all other ads were hidden behind the TXXX iframe), they likely would not have detected this pop-under scheme. Despite the use of web traffic analysis tools, it can be difficult to detect the presence of an iframe when all other content appears legitimate. For example, IP exclusion lists wouldn’t work to deter this threat since traffic comes from legitimate users, not bots or click farms.

One way to avoid this kind of scam would be to only run retargeted ads that are only visible to people who have visited your website in the past. But that would exclude the use of Google Ads to attract new customers.

If website owners regularly checked to see if their content has been scraped, that would also help deter this kind of attack. But relying on a third party would not likely improve your protection significantly. Perhaps the only reasonable method would be to analyze your ad spend versus the expected revenue increase. If there’s a large gap, you might be a victim of a pop-unders scam.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read