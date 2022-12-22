



Scammers using Google Ads, stolen blog posts, and “pop-under” advertising schemes on adult websites have made over $275,000 a day by generating millions of ad impressions each month .

Researchers at cybersecurity vendor Malwarebytes found that scammers were able to take advantage of people visiting high-traffic adult websites to generate ad impressions and money, even if they had never seen an ad before. claim.

That’s where pop-under ads come in. A cost-effective pop-under is similar to a pop-up ad in that it launches when a user clicks on her website. Pop-up ads appear on the main page the user is on, while pop-unders appear behind the main page.

When users close the browser tab they used to view your site, they see the pop-under page and its ads. The goal of Popunder publishers is to add interesting content to their landing pages to grab user attention and keep ad impressions flowing.

This is a common and legitimate online advertising model that has been around for at least a decade. According to Malwarebytes, common pop-under content for the adult industry includes advertisements for online dating services, adult webcams, or other adult portals.

Given the high traffic of many adult websites, it’s no secret that they are attractive to popunder ad developers.

In this case, the popunder page looked like a legitimate page displaying how-to blogs and homeowner tips stolen from other sites. However, overlaid on top of that page was an iframe advertising another adult site obscuring the popunder page.

“Not only that, but the page regularly updates its content and offers new articles, but it’s still hidden behind an XXX overlay for further monetization with Google Ads,” Segura wrote. . “This happens without the user’s knowledge because the tab was launched as a popunder.”

He writes that when visiting Txxx’s iframe page, users can click on the video or thumbnail, which in turn actually clicks on the Google ad on the pop-under page below. On average, there were about 5 of his Google ads per popunder page.

But clicking on ads is not the only way scammers make money. Simply loading an ad on a popunder page creates an ad impression that the network pays for. The user does not need to see the popunder page for the scammers to get paid.

According to Segura, this was a fraudulent campaign, as the iframe page displayed a Google ad. Google’s policy does not allow him to run Google ads on websites that display adult content.

“It turned out to be a clever way to hide fake blogs with more ads, most of them hidden behind full-screen porn iframes,” he said. writing. “When an unaware visitor triggers popunder’s landing page and continues browsing in a separate tab, her website under the bait is constantly updated with new content and new ads, driving millions of ad impressions per month.” will be generated.”

Malwarebytes pulled numbers for the decoy website from the Similarweb traffic analyst site and found around 300,000 visits per month, with over 50 pages viewed per visit. Visitors spent less than 8 minutes on average on the site.

“Can a human actually browse and read 51 articles in an average of 7 minutes and 45 seconds?” he asked. “The answer is simple. It’s not. While the popunder page is constantly reloading new articles alongside his Google Ads, users are more likely to care about their business in other active tabs. is.”

Pop-under ads have made the scammers a lot of money. Average cost per thousand impressions (CMP) can be as low as 5 cents. According to Malwarebytes, pages generated an average of 35 ad impressions per minute in this campaign. Multiplying approximately 282,000 monthly visits by average duration, total ad impressions exceeded 76.4 million per month at a CMP of $3.50.

It’s unclear who the crooks behind the scam are, but the language found in the obfuscated code indicates they’re likely Russian, Segura wrote.

Malwarebytes notified Google of the deceptive advertising campaign, but the search giant has since shut down.

