A new fraudulent online ad campaign using Google Ads on adult websites may have made its operators hundreds of thousands of dollars per month, according to Malwarebytes.
The security vendor reported the scheme to Google for violating its acceptable content policy, and it has since been taken down.
So-called “popunders” work in a similar way to a popup except they display behind the main page as an entire landing page.
In the case of the ad fraud campaign spotted by Malwarebytes, the scammers loaded a full blog as their popunder, containing dozens of articles stolen from other sites.
“The fraudster is actually deceiving Google by loading legitimate content (i.e. how to fix your plumbing issues) under a fullscreen XXX iframe,” explained Malwarebytes head of threat intelligence, Jérôme Segura.
“Not only that, but the page also refreshes its content at regular intervals to serve a new article, still hidden behind with the XXX overlay, to further monetize on Google Ads. This happens without the user's knowledge since the tab was launched as a popunder.”
He said there are an average of five Google ads on the popunder page in question, sometimes including video ads which generate the advertiser even more money.
The campaign garnered around 300,000 visits per month and over 51 pages viewed per visit, said Segura.
“How can a human actually browse and read 51 articles in an average of seven minutes and 45 seconds? The answer is simple: they don't. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads,” he explained.
“We estimate that the page generates an average of 35 ad impressions every minute. If we do the math and multiply the total number of monthly visits (281.9K) and average duration (465 seconds), we get total ad impressions of 76,465,375 per month. Calculating the exact revenue made will depend on different factors, but with a CPM of $3.50, this scheme could theoretically generate $276,629 a month.”
Although not strictly speaking a bot-driven ad fraud campaign, as participants are real users with real IP addresses, the excessively high number of pages per visit marks it out as invalid traffic (IVT), Segura argued.
Editorial credit icon image: Primakov / Shutterstock.com