Google Ad fraud campaign used adult content to make millions

Google logo over the world

A massive advertising fraud campaign using Google Ads and ‘popunders’ on adult sites is estimated to have generated millions of ad impressions on stolen articles, making the fraudsters an estimated $275k per month.

The campaign was discovered by Malwarebytes, who reported it to Google and took it down for violating policies forbidding Google Ads on adult sites.

While the campaign’s operator is unknown, evidence collected by Malwarebytes suggests the actor is likely of Russian origin.

‘Popunders’ and Google Ads

The fraudster set up advertising campaigns on adult sites receiving massive traffic using ‘popunder’ ads.

These advertisements are incredibly cheap and open as ‘pop-ups’ behind the open browser window, so the user won’t see them until they close or move the main browser window.

Typically, ‘popunders’ are used by online dating services, adult webcams, and other adult content portals.

In this case, the fraudster creates legitimate-looking news portals with scraped content from other sites, which are used as ‘popunder’ advertisements.

However, instead of showing the page’s content, they overlay an iframe that promotes a ‘TXXX’ adult site.

To generate ad revenue from these popunders, the actors also embed a Google Ad at the bottom of the page, violating Google’s advertising policies, as shown below.

Fraud site exposing a Google Ad at the bottom
Fraud site exposed by a Google Ad at the bottom (Malwarebytes)

The overlaying is achieved by a dynamically built iframe that uses heavy code obfuscation to evade automatic analysis by Google’s fraud detection bots. The iframe points to, a legitimate adult content site, which it uses to import adult content.

The iframe that points to
The iframe that points to (Malwarebytes)

“Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe),” explains Malwarebytes.

“A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead.”

Article impressions

The articles loaded in the background (under the adult content iframe) are stolen from legitimate sites, primarily tutorials, articles, and guides.

These pages contained an average of five Google Ads, sometimes even including video ads that generate more substantial revenue.

Article under the iframe
Article under the iframe (Malwarebytes)

The fraudster sets the background content to refresh with a new article and a fresh set of ads every nine seconds, so if the page stays open for a couple of minutes, multiple fraudulent ad impressions are generated.

Similarweb metrics report that the fraudulent page generates roughly 300,000 visits per month with an average duration of 7 minutes and 45 seconds.

Based on that, Malwarebytes estimated the ad impressions to be 76 million per month and the revenue to be $276k/month (based on CPM of $3.50).

This number is an estimation for the particular site, and as Malwarebytes explains, there likely are more.

Original Source

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

Click Above for Telegram
Click Above for Discord
Click Above for Reddit
hd linkedin
Click Above For LinkedIn