When the International Business Times and its parent Newsweek Media Group were accused in February of buying bots to help win a major ad buy from the Consumer Financial Protection Board, they had a helping hand from PopAds.
PopAds, which specializes in pop-unders and didn’t respond to requests for comment, also resells traffic, performs unauthorized cryptomining and generates fake page visits.
But PopAds’ actions aren’t a secret, and its founder, a Polish national named Tomasz Klekot, has been the subject of suspicion for years. Yet the company, and others like it, continue to exist due to apathy, inaction and misaligned buy-side incentives, said fraud researcher Augustine Fou.
“It’s the marketer’s job to spend all of their budget or they get less of it next year,” Fou said. “They’re just looking for something to buy, for volume, and companies like PopAds see an arbitrage opportunity.”
And, at least for now, there’s no law against ad fraud.
“Here, you can steal millions and just end up with chargebacks from the advertisers,” said Hagai Shechter, CEO of ad fraud detection company Fraudlogix. “No consequences, no jail time, no penalties.”
PopAds was founded in 2011 by Klekot, who previously ran a now-defunct CPM ad network called trafficrevenue.net that was accused by an anti-malvertising watchdog of pushing malware.
The PopAds site is registered in Costa Rica, support is based in Poland and the technical team is located in the US.
It’s a major red flag when a website is hosted in a different country than where the company is based, according to anti-malvertising guidelines and best practices developed by the Online Trust Alliance.
PopAds has other schemes too: it mines bot traffic for cryptocurrency.
It works like this: PopAds uses a script to identify fraudulent activity, as do most ad networks and exchanges. But unlike others, which usually blacklist whatever bots they find and move on, PopAds drops cryptomining code into the fraudster’s browser, which allows it to use the bad actor’s computer processing power to generate a form of cryptocurrency called Monero.
PopAds makes around $30,000 a month in Monero, said Amnon Siev, CEO of ad security and verification company GeoEdge, which spotted the scheme in December. And it does so without disrupting the publisher or slowing down the human visitor’s experience.
“This is the first time we’ve seen anything like this – and it’s a bit like Robin Hood,” Siev said. “Usually, the bad guys do the stealing, but here it’s PopAds taking money away from the bad guys.”
The problem is, PopAds didn’t stop there.
In late February, Chinese internet security company Qihoo 360 published a blog accusing PopAds of in-browser cryptojacking, which means the network is running a second mining scheme in which users are being affected.
PopAds uses a domain-generation algorithm to create a large number of random domains on the fly, something often done to bolster a malware scheme. The domains, which host tons of ads and have names like buhxsaifjxupaj.com, jeksffryglas.com and wkmuxmlk.com, change so frequently, usually daily, that they’re able to bypass ad-block lists.
According to Qihoo, PopAds is now using these algorithmically created domains to run cryptojacking code. When the Qihoo researchers visited one of the 12-letter sites, their central processing unit usage immediately shot up to 100%.
Hardly something Robin Hood would do.
But why are companies like PopAds still in business?
“WWW still stands for ‘wild, wild west, even in 2018,” said Fraudlogix’s Shechter. “Unless there’s clear processes for prosecuting, it’s always going to be a high reward, low risk proposition for fraudsters and cyber criminals.”