When the International Business Times and its parent Newsweek Media Group were accused in February of buying bots to help win a major ad buy from the Consumer Financial Protection Board, they had a helping hand from PopAds.
PopAds, which specializes in pop-unders and didn’t respond to requests for comment, also resells traffic, performs unauthorized cryptomining and generates fake page visits.
But PopAds’ actions aren’t a secret, and its founder, a Polish national named Tomasz Klekot, has been the subject of suspicion for years. Yet the company, and others like it, continue to exist due to apathy, inaction and misaligned buy-side incentives, said fraud researcher Augustine Fou.
“It’s the marketer’s job to spend all of their budget or they get less of it next year,” Fou said. “They’re just looking for something to buy, for volume, and companies like PopAds see an arbitrage opportunity.”
And, at least for now, there’s no law against ad fraud.
“Here, you can steal millions and just end up with chargebacks from the advertisers,” said Hagai Shechter, CEO of ad fraud detection company Fraudlogix. “No consequences, no jail time, no penalties.”
Rap sheet
PopAds was founded in 2011 by Klekot, who previously ran a now-defunct CPM ad network called trafficrevenue.net that was accused by an anti-malvertising watchdog of pushing malware.
The PopAds site is registered in Costa Rica, support is based in Poland and the technical team is located in the US.
It’s a major red flag when a website is hosted in a different country than where the company is based, according to anti-malvertising guidelines and best practices developed by the Online Trust Alliance.
Unlike pop-up ads, which block content, pop-under ads open in a separate browser window behind the active window, which makes them popular with torrent sites and sites that host adult content. As of March, the PopAds JavaScript code was present on 19,602 websites, and it’s not surprising that hundreds were porn or pirate sites, based on a search of PublicWWW, a search engine for source code across the internet.
Pop-unders, which were banned from Google AdSense as of July, are often a locus for wasted impressions, loading and reloading who knows what in the background while users continue to browse unaware in the foreground.
In 2016, Klekot and PopAds generated more than 1 billion fake page and ad views by creating 1,000 disposable sites – domains with meaningless URLs like Nnbestmblotl.com – that redirected bots to legit sites with advertising. The social media research firm Social Puncher uncovered the plot last April.
Affected brands included P&G, Chase, Pepsi, Audi, Renault, American Express and Hilton.
The PopAds client base is primarily comprised of digital businesses that need visitors, such as gambling, sports betting and low-quality online courses (“How to become a millionaire in 3 days!”), and of digital publishers that need traffic to monetize display ads.
Some of the traffic for sale through PopAds is just $1 to $2 per 1,000 visits.
PopAds created the illusion of legitimacy by mixing human and artificial traffic through its disposable sites, said Vlad Shevtsov, Social Puncher’s director of investigations. “But they themselves know very well what is being sold and to whom. And buyers themselves must understand that it is naive to get 1,000 real people for $2.”
In February, PopAds popped up again as Social Puncher investigated whether Newsweek and the International Business Times purchased traffic that originated on illegal streaming and file-sharing sites. Visits to pirate sites were disguised as visits to IBT sites using pop-under traffic running through PopAds and another pop-under provider, AdSupply. Pixalate and DoubleVerify identified the same shenanigans.
It’s unclear how much money PopAds or any one ad network makes from these schemes, but Shevtsov estimates that it’s tens of millions of dollars – which is only a tiny sliver of the overall pie.
And that’s because companies like PopAds are hired guns.
They’re “too far from large advertising budgets, and for those who really divide the advertising cake, they are just technical specialists who help solve traffic problems,” Shevtsov said. “In the food chain, they are at the lowest level, although they perform the most technically difficult work.”
Robin Hoodwinked
PopAds has other schemes too: it mines bot traffic for cryptocurrency.
It works like this: PopAds uses a script to identify fraudulent activity, as do most ad networks and exchanges. But unlike others, which usually blacklist whatever bots they find and move on, PopAds drops cryptomining code into the fraudster’s browser, which allows it to use the bad actor’s computer processing power to generate a form of cryptocurrency called Monero.
PopAds makes around $30,000 a month in Monero, said Amnon Siev, CEO of ad security and verification company GeoEdge, which spotted the scheme in December. And it does so without disrupting the publisher or slowing down the human visitor’s experience.
“This is the first time we’ve seen anything like this – and it’s a bit like Robin Hood,” Siev said. “Usually, the bad guys do the stealing, but here it’s PopAds taking money away from the bad guys.”
The problem is, PopAds didn’t stop there.
In late February, Chinese internet security company Qihoo 360 published a blog accusing PopAds of in-browser cryptojacking, which means the network is running a second mining scheme in which users are being affected.
PopAds uses a domain-generation algorithm to create a large number of random domains on the fly, something often done to bolster a malware scheme. The domains, which host tons of ads and have names like buhxsaifjxupaj.com, jeksffryglas.com and wkmuxmlk.com, change so frequently, usually daily, that they’re able to bypass ad-block lists.
According to Qihoo, PopAds is now using these algorithmically created domains to run cryptojacking code. When the Qihoo researchers visited one of the 12-letter sites, their central processing unit usage immediately shot up to 100%.
Hardly something Robin Hood would do.
But why are companies like PopAds still in business?
“WWW still stands for ‘wild, wild west, even in 2018,” said Fraudlogix’s Shechter. “Unless there’s clear processes for prosecuting, it’s always going to be a high reward, low risk proposition for fraudsters and cyber criminals.”
