Experts have uncovered that fraudsters have leveraged clicks on Google Ad banners generated by visitors to an adult website to make massive profits.

Malwarebytes researchers, who discovered the campaign in the wild, detailed how an attacker had exploited a popular pornographic ad network to launch a popunder ad campaign.

It functions similarly to a pop-up, except instead of appearing on top of the current window, it appears underneath it. In this approach, the displayed advertisements will disappear when the browser is closed or minimised.

Ads that are “safe” for adults to see on pornographic sites

Then they developed a phoney news website that just republished articles from other sites. Numerous manuals, tutorials, and other instructional pieces are posted here. Due to the site’s lack of “adult material,” “gambling,” and “adult-oriented” content, it was approved to display advertisements from the Google Ads network.

Then, an iframe displaying material from the TXXX pornographic site was superimposed on top of the original site.

When a user leaves an adult website, they may be presented with a popunder for TXXX, which may appear appropriate. If the visitor tries to play one of the videos, they will really be playing an advertisement and the fraudsters will get money. Google’s advertising policy expressly forbids any kind of pornographic material, although in practise, users from adult-oriented websites often click on Google Ads network advertisements.

It doesn’t matter whether the user interacts with the ad or not; fraudsters still benefit from it loading on the page since ad networks compensate publishers for each impression. So, every nine seconds, both the phoney news and the advertisements on it are completely updated.

According to Malwarebytes, the typical cost per thousand impressions (CMP) for popunders may be as little as$0.05, and the threat actor behind the scam likely made a lot of money because of the high volume of traffic to pornographic sites.

According to Malwarebytes’ calculations, the campaign, which has since been shut down, resulted in 76 million monthly ad impressions, which, at a cost per thousand (CPM) of $3.50, equates to monthly income of $276,000.

The identity of the threat actor is unclear, however they are believed to be Russian.