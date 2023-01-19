



An ad fraud scheme utilizing Google ads and “pop-unders” on adult websites generated an estimated millions of ad impressions on stolen content. The campaign was reported by Malwarebytes on his December 20th, and the scam earned perpetrators an estimated $275,000 per month. After being alerted to the scam, Google stopped the scam, accusing it of violating its policy prohibiting the use of Google Ads on adult sites.

A pop-under is a type of ad that appears behind an open web browser window instead of in front of it like a traditional pop-up ad. This means that ads will only appear when the user closes her main browser window. Pop-under ads are not intrusive. They do not block the user’s view of the content in her main browser window. Instead, the popunder opens in a separate window and remains hidden until the user closes the active window.

Multiple layers of deception

We still don’t know who carried out this particular pop-under scam. However, Malwarebytes has collected evidence suggesting the perpetrator may be from Russia. Attackers set up multiple advertising campaigns on high-traffic adult sites using cheap pop-under ads. These types of ads are popular on legitimate dating sites and other adult content portals.

In this case, the scammers created fake blogs and news portals (with content scraped from other websites) and used them as pop-under ads. It also overlayed an iframe promoting a TXXX adult site instead of showing the fake page’s content.

To monetize these pop-unders, perpetrators used Google Ad schemes. One ad was embedded at the bottom of an adult content page, which violates Google’s advertising policies. But the real money came from fake blogs hidden as popunders behind iframes.

Source: Malware Bytes

Stolen ad clicks and impressions

Malicious actors created malformed iframes using complex coding techniques designed to evade Google’s fraud detection algorithms. The iframe points to a legitimate adult content site, txxx.tube, from which adult content is imported. Clicking anywhere on the iframe page (such as selecting a thumbnail to watch a video) actually clicks on a Google ad embedded in the fake news page. Also, the fake page is a popunder, so it won’t display.

Background content consists of live website articles, tutorials, and guides that contain stolen content. The site also auto-updates with new articles and new ad sets every 9 seconds. This will generate multiple fraudulent ad impressions if the page remains open for several minutes.

According to Malwarebytes, when a user clicks on the fake blog browser tab, there is another overlaid iframe, so the malware presents the user with what looks like another adult website. When the user clicks anywhere on the page, it accidentally triggers an actual click on her Google ad instead of accessing the content it was supposed to display. This technique is called clickjacking.

According to Similarweb metrics, one fraudulent popunder site receives approximately 300,000 visits per month with an average duration of 7 minutes and 45 seconds. Based on this data, Malwarebytes estimates that the page will generate 76 million ad impressions per month and approximately $276,000 in revenue per month (cost per 1,000 impressions (CPM) 3.50 dollar). This estimate is specific to one particular site, and additional sites may be involved in fraudulent campaigns.

scraped content

According to Malwarebytes, the crooks behind this scheme employ a clever trick to trick Google. Hide actual readable (but scraped) content, such as a tutorial for solving a home problem, under an iframe that displays explicit content. Fake pages chock full of Google ads regularly update their content. Hiding behind an overlay of explicit content, new articles rotate constantly. All this happens without the user’s knowledge.

Note that this is not just one page. Instead, it’s a complete blog with numerous articles that the malicious actor has gleaned from his other websites, covering many topics such as:

Home Heating Tips 10 Ways to Style Your Kitchen Countertops Like a Pro 4 Key Benefits of Installing a Gutter Protection System-Causes-in California before-you-plan-to-build-your-own- house-work-out-your-budget build-your-own-home-in-3-days build-your-own-home-your home in california needs roof ventilation homeowners best Guide to Outdoor Lighting -own-house-cost how- much-does-it-cost-to-build-a-new-house-in-los-angeles-area-snow-and-ice-impact-your- roof how-solar- panels can make your roof last longer How to glue drywall to concrete blocks

Source: Malware Bytes

Detection and prevention

Scammers are always looking for easy ways to make money online. One of the tactics they often use is to take advantage of the high traffic and low costs associated with adult content. Click-fraud schemes may also recruit click farms or bots to perform ad clicks.

In this particular scam, the user is not a bot, but a human looking for adult content. These users have genuine browser settings and network attributes. All of this makes it difficult to detect traffic.

Malwarebytes states that without the Google ads displayed at the bottom of the page (all other ads were hidden behind a TXXX iframe), this pop-under scheme would likely not have been detected. Even with web traffic analysis tools, it can be difficult to detect the presence of an iframe when all other content looks legitimate. For example, IP exclusion lists do not work to deter this threat because the traffic is from legitimate users, not bots or click farms.

One way to avoid this type of scam is to only run retargeting ads that are only shown to people who have visited your website in the past. But then you won’t be able to use Google Ads to acquire new customers.

Website owners regularly checking their content for scraped content can also help thwart this type of attack. However, relying on third parties rarely provides much better protection. Perhaps the only reasonable way is to analyze advertising spend and expected revenue growth. If there are large gaps, you may be a victim of a popunder scam.

If you have a cybersecurity issue or incident, please contact X-Force. Global hotline (+001) 312-212-8034.

