In the old days, pop-under ads were a scourge of the web. Now, since fraud fighters have improved their ability to detect bots, some sites are turning back to pop-unders to show ads to unsuspecting humans. By inserting separate browser windows behind what users are viewing, these websites display ads that are often unseen even though they are registered to a human user.

This tactic is used in conjunction with the dingy side of the internet — porn, hate and file-sharing websites — by sites that drive ad revenue before they’re booted from one exchange and off to another. Porn sites like sexix.net and sexix.org bombard users with windows that pop under their browser. These pop-under windows — which use benign-sounding URLs like viralnewsjunkie.com, glamouralley.com and fashionshack.com — are used to serve ads in the background while the user views porn on another window. The sites themselves have little in the way of content. The pop-unders continually refresh and reload ads so that thousands of ads can be “shown” to users even though the majority of the impressions shown on these webpages will never be actually seen.

“Normally what happens in these cases is that a porn site makes deals with several unscrupulous ad networks,” said an ad tech exec requesting anonymity. “Those networks’ tags fire new pop-unders that load totally different sites, unaffiliated with the porn sites. The porn sites get paid in various ways for delivering their users the pop-unders.”

Big brands fall prey
The ads that appear on these websites are highly targeted. I was shown retargeted ads from DataXu and The Wall Street Journal. A Glossy reporter had ads from fashion and beauty brands like Brilliant Earth and Tatcha. Other brands to have their ads appear on these sites include Scottrade, Weebly, Seamless and Soundcloud. As AdYapper CEO Elliot Hirsch noted, these advertisers “may all simply be accustomed to looking at the high-level sales metrics, and as long as things are on track with sales goals or campaign expectations, no further scrutiny is applied and they remain unaware of the large-scale waste and damage to their brand.”

It’s difficult to untangle who is delivering the ads. When diving into the code on these pages, tracking tools show that it is a who’s who of ad tech. But sources said that many of these tags are user trackers, which means that mere presence on this list is not necessarily indicative that the company served ads on the pop-unders. The video below shows how these websites constantly refresh and upload new ads. At the 1:55 mark, the URL automatically changes from a Fashion Shack domain to a Glamour Alley one.

Sources indicated that new fraud sources usually have to be detected at least once before they can be eliminated, which means fraudsters hop from exchange to exchange. “In order to identify new fraudulent and invalid traffic, DoubleVerify must see a small number of impressions against a domain to initially diagnose the problem,” said Matt McLaughlin, COO of DoubleVerify.

For instance, Turn said that over the last six months, these sites had generated only $9 from Turn before Turn’s verification vendor blocked them. Media.net claims these sites generated less than $200 from them before getting suspended from the network. An AppNexus spokesperson stated, “We transacted minimally on these domains,” and a Pubmatic rep said, “Pubmatic has tags and may serve ads there,” but both declined to provide dollar amounts while noting that they blacklisted the sites in response to Digiday’s reporting. Kiosked CEO Antti Pasila said that these sites are “only doing a couple of dollars a day in ad impressions.”

Networks of sites
As Pasila pointed out, these sites are small potatoes individually. Only sexix.net, whose traffic peaked at about 600,000 monthly visits in October, registered enough traffic for SimilarWeb to provide monthly data for. Over the last six months, SimilarWeb estimates show that the other websites involved in this operation had a total of just 1.3 million visits, on average. Digiday was unable to find contact information for the operators of these websites. But it appears that the strategy is to spread enough websites across enough vendors so that the cumulative ad dollars exceeds the admin costs.

To prevent ads from appearing on pop-unders, sources said that advertisers could use whitelists, which stipulate that ads can only appear on websites on the list. However, whitelists can come at the risk of missing out. There is cheap inventory throughout the web, and new sites frequently pop up that brands want to be on, which means that whitelists must be carefully monitored and updated for their benefits to outweigh the costs. For many advertisers, the risks of open bidding might be worth it if the amount of budget that fraud sites siphon is minimal.

Digiday Daily Newsletter

Get Digiday's top stories every morning in your email inbox.

Sources said that although sexix.net and its pop-unders may have small traffic, this practice is more common with hate sites and illegal file-sharing operations. They’ve also likened the practice to whack-a-mole since new fraudsters continually pop up regardless of how many have already been blocked. Ken Van Every, senior business development manager at demand-side platform provider DataXu, said that his company has blocked thousands of these sites as pop-unders evolve to circumvent advances in fraud detection.

“A few years ago these sites were all buying bot traffic,” he said, while acknowledging the irony of DataXu ads appearing on the pop-unders. “Now that fraud tech has blocked a lot of that, these sites have gone to less fraudulent means through buying on pop-unders.”

Hard problem to solve
Because these ads are technically being served to humans, and not bots, Van Every believes these websites should qualify as low-quality traffic and not fraud. This sentiment was echoed by many other sources, particularly by brand reps spooked by words like “fraud” and “porn.” But when the line between low-quality inventory and fraud becomes so indecipherable, the difference between these definitions becomes metaphysical and not scientific.

“Distance doesn’t demonstrate deniability,” said Marc Goldberg, CEO of fraud detection company Trust Metrics. “Plausible deniability is not a long-term strategy.”

Several sources said that more industry regulation will be needed to quell pop-unders. In May, the Association of National Advertisers put out a report about the perils of sourced traffic, which is the practice of acquiring traffic via third parties, or what Fashion Shack and Glamour Alley are doing. But this report was overshadowed by the ANA’s report on agency kickbacks, and there is not much evidence to show that advertisers ramped up the fight against sourced traffic. Internet advertising is still treated by many marketers as a direct-marketing environment where a certain amount of waste is to be expected.

Brad Holcenberg, head of platform quality at Rubicon Project, said that advertisers can’t solve these issues by just tacking on more brand-safety vendors because many of these companies don’t have the technology to detect this type of non-bot fraud. He said concerned marketers should implement an in-house human review to complement tech services.

“These advertisers don’t know what is really going on,” said a programmatic analyst. “If you knew it was going on, how did your ad appear in these sites? It’s a fucking sinkhole, and it shows the blacklist ain’t always working.”

  • LinkedIn Icon
Digiday
Digiday