Researchers from Malwarebytes described a campaign in which cybercriminals used porn site visitors to get money for showing ads, even if users had never seen those ads.
Fraudsters used "popunder ad" - a pop-up ad that runs when a user opens the site. While the pop-up ad appears on the home page, the pop-under opens in a new window under the tab the user is working on.
In the detected campaign, the pop-up ad looks like a real blog with articles stolen from other sites. But on top of this page is an "iframe" - a porn site that completely overlaps the original page.
In addition, blog posts are regularly updated and generate new ads for further monetization in Google Ads. This happens without the user's knowledge as the tab is launched as a popunder.
If a user clicks on a video in an iframe page, it will count as a click on a Google ad at the bottom of the page. On average, there were about 5 Google ads per popunder page.
But clicks on ads are not the only way scammers make money. Simply loading an ad on a popunder page creates ad impressions that the attackers get paid for. In this case, the user does not even need to see a pop-up window.
According to Segura, a sign that this was a fraudulent campaign was the presence of Google Ads on the iframe page. Google policy does not allow Google ads to be placed on websites with adult content.
“It turned out to be a clever way to hide a fake blog loaded with a lot of ads, most of which are hidden behind a full-screen pornographic iframe. As unsuspecting visitors launch the pop-up landing page and continue browsing in another tab, the honeypot website is constantly updated with new content and new ads, generating millions of ad impressions per month,” Malwarebytes said.
Malwarebytes researchers found almost 300,000 visits per month and over 50 page views per visit. The average time a visitor spent on the site was less than 8 minutes. The user may be on another active tab, and the popup page is constantly updating new articles along with Google Ads.
For this campaign, the page generated an average of 35 ad impressions per minute. The total number of ad impressions was more than 76.4 million per month, and for one impression, the fraudsters received $3.5 (Average CPM), which amounted to almost $270,000.
Malwarebytes notified Google of the ad campaign, which has now been fixed.