PopAds is a well-known popunder ad network. Last week, I noticed that a new script is being loaded by their standard popunder tag:
I looked up the script and it was obvious that it performs browser fingerprinting. It uses well-known and widespread fingerprinting techniques that utilize browser features such as canvas, webgl, plugins and more.
However, other parts of the code seems to fingerprint specific automation tools such as Selenium and PhantomJS, which indicates that its purpose is to identify bots rather than tracking users for ads targeting.
There’s nothing special here so far, as many ad network and exchanges using similar bot detection scripts in order to identify fraud traffic. However, this script is different in the reaction it takes upon bot detection. Usually, the ad network will blacklist the bot and won’t charge the advertiser for any impression served to the bot*. But PopAds does something different. If they detect a bot, they serve additional script:
Which performs in browser mining of monero, an anonymous cryptocurrency that’s designed to be mined by standard PC CPU.
In browser mining became prevalent in the last months because of the skyrocketing prices of cryptocurrencies, appearance of easy to use mining services such as CoinHive and the availability of massive amounts web traffic. It even got a name, “cryptojacking“.
As expected, publishers started to suffer from bad advertisers who serves their mining scripts instead of legitimate ads, exhausting the user’s battery and CPU. This is of course unaccepted, and any decent publisher will kick out ad network that serves mining scripts without permission. So in order to prevent user experience interruption, PopAds uses a clever trick and serves the mining scripts only to bot visitors. Ad tech madness indeed!
Edit: I found, via googling, that PopAds actually publicly admitted to do this. It seems they currently shut down the mining functionality, maybe because of false positives reported in the thread linked above.
* Assuming they actually care about fraud, which many of them don’t, because of perverse incentive structure: the ad platforms (networks, exchanges, SSP, etc) actually makes money on fraud impressions as well.