Scammers used traffic from an adult website to generate clicks on Google banner ads, earning them huge profits, experts revealed.
Malwarebytes researchers, who were the first to spot the campaign, revealed how someone created an ad campaign on a major adult ad network and used the "popunder" ad format.
It's basically a popup window, but it goes below the active browser window. In this way, the displayed ads can only be seen after the user closes or minimizes the browser.
"Clean" Ads on Adult Sites
They then created a fake news website, with content taken from other content sites. The articles posted on this website include various tutorials, guides, and others. Being "clean" (no adult, gambling or similar content), the site was able to serve ads from the Google Ads network.
They then overlayed the site with an iframe displaying content from the adult site TXXX.
In other words, when a visitor to an adult site closes their browser, they'll see a popup advertising TXXX, which also looks legitimate given the context. However, if the visitor tries to click on one of the videos, she will actually click on the ad and make money for the scammers. Ultimately, visitors to adult websites will click on ads from the Google Ads network, which is against Google's advertising policy that prohibits all adult content.
Even if they don't click on the ad, the mere fact that it's loaded generates revenue for scammers, as ad networks also pay for ad impressions. This is why the fake news site and the ads it contains are updated every nine seconds.
Malwarebytes says that popunders are quite profitable, since the average cost per thousand impressions (CMP) can be as low as €0.05, and since the traffic on adult sites is massive, the threat actor behind the scheme managed to generate a large amount of profit.
According to Malwarebytes estimates, the campaign, which has since ended, generated 76 million ad impressions per month, which, at a CPM of $3,50, yields revenue of up to $276.000 per month.
The identity of the menacing actor is unknown, but they appear to be Russian.
Via: BleepingComputer (Opens in a new tab)