Google Ad Fraud campaign employed adult content in order to make millions

An enormous advertising fraud campaign that used Google Ads and “popunders” on adult websites was estimated to have produced millions of impressions for stolen articles. This earned the scammers an estimated $275k each month.

Malwarebytes discovered the campaign and reported it to Google. Google took down the campaign for violating Google Ads policies on sites containing adult content.

Malwarebytes evidence suggests that the operator of the campaign is Russian.

Google Ads and ‘Popunders’

Fraudster created advertising campaigns for adult websites that received huge traffic by using popunder ads.

These ads are extremely cheap, and appear as pop-ups behind an open browser window. The user will not see them until the browser closes or moves.

Online dating sites, adult webcams and other portals that offer adult content use ‘popunders’.

The fraudster makes fake news portals using scraped content taken from other websites. These are then used to create ‘popunder advertisements.

Instead of displaying the content on the page, however, they display an iframe which promotes a TXXX adult website.

These actors embed an Ad from Google at the bottom to generate advertising revenue. This is in violation of Google’s Advertising Policies, which are shown below.

This overlaying is accomplished by an iframe dynamically constructed that employs heavy code obfuscation in order to avoid automatic analysis by Google’s fraud detection bots. This iframe links to txxx.tube which is a legal adult content website that imports adult content.

Malwarebytes

A click on any page triggers a click on a Google Ad instead.

Impressions of the article

Articles that are loaded under the “adult content” iframe in the background were stolen from legit sites. These include tutorials, articles and guides.

The pages had an average of five Google Ads. Sometimes, these ads included video ads which generate greater revenue.

A fraudster causes the background content of the webpage to be refreshed with new articles and ads every nine second. If the page is left open for more than a few minutes multiple fraudulent impressions will result.

Similarweb analytics report that this fraudulent page receives approximately 300,000 visitors per month and has an average time of 7 minutes 45 seconds.

Malwarebytes based their estimates on this data estimated that the number of ad impressions would be 76,000,000 per month, and revenue at $276k/month. This is based on a CPM of 3.50.

The number given is only an estimate for the site. Malwarebytes suggests that there may be more.