A global ad fraud campaign based on Google Ads has made millions

Image Credit: Shutterstock (Image credit: Gustavo Frazao / Shutterstock)

Scammers have used the traffic from an adult website to generate clicks on Google Ad banners, netting them huge returns, experts have revealed.

Researchers from Malwarebytes, which first spotted the campaign, revealed how someone created an ad campaign on one of the major adult ad networks and used the “popunder” ad format. 

It’s essentially a pop-up, but it goes under the active browser window. That way, the ads displayed can only be seen after the user closes, or minimizes, the browser

"Clean" ads on adult sites

Then, they created a fake news website, whose content is scraped from other content sites. The articles published on this website include various tutorials, guides, and similar. Being “clean” (no adult content, gambling, or similar), the site was allowed to show ads from the Google Ads network. 

Then, they overlaid the site with an iframe showing content from the TXXX adult site. 

In other words, when a visitor from an adult site closes their browser, they’ll see a popunder advertising TXXX, which also seems legitimate, given the context. However, should the visitor try to click on any of the videos, they’ll actually be clicking on the ad and thus generate profit for the fraudsters. At the end of the day, visitors from adult websites will click on ads from the Google Ads network, which goes against Google’s advertising policy of no adult content whatsoever. 

Even if they don’t click on the ad, the simple fact that it loaded generates revenue for the fraudsters, as ad networks also pay out for ad impressions. That’s why the fake news site, and the ads on it, get refreshed every nine seconds.

Malwarebytes says popunders are quite cost-efficient, as the average cost per thousand impressions (CMP) can go as low as $0.05, and given that the traffic on adult sites is massive, the threat actor behind the scheme managed to generate a huge amount in profits.

Per Malwarebytes’ estimates, the campaign, which has now been terminated, generated 76 million ad impressions per month which, with a CPM of $3.50, brings profits up to $276,000 a month.

The threat actor's identity is unknown, but apparently, they're Russian. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.