Window operating

You’ve Heard of the Pop-up Webpage, but What About the Pop-Under?


If you are old enough to have had experience with the public internet during its first few years, you probably remember pop-up webpages. You would click on a search engine link to a particular article thinking all would be well. But as soon as your browser finished loading, a new window would pop up. A pop-under page is similar, except that you cannot see it.

The pop-under gets its name from the fact that it appears underneath the window you are currently working in. It’s also bound to that window, so even resizing the window will not reveal the pop-under. It can be leveraged by ad fraud perpetrators to simulate human web activity while simultaneously generating fake ad clicks.

A Problem for WordPress Sites

Pop-unders can be deployed through any type of website. However, security experts uncovered one particular scheme involving WordPress sites in early 2023. WordPress seems to be especially vulnerable to this sort of thing because of its heavy reliance on plug-ins.

The security experts discovered one particular plug-in through which malicious code can be injected. The code triggers a pop-under whenever the compromised website is loaded through a link established by the fraudster. Once the pop-under becomes active, it will load various websites, click ads, and continually refresh the ads for more clicks.

Simulating Human Activity

Whoever is behind the plug-in has managed to create a pop-under capable of accurately simulating human activity. While the affected web user is scrolling through and otherwise interacting with a legitimate site, the pop-under is doing the same thing in the background. It is scrolling up and down. It is clicking links here and there. But here’s the icing on the cake: as soon as the legitimate user’s activity ceases, so does the pop-under’s. And as soon as the user leaves the site, the pop-under disappears and the site goes back to being static.

Through its clever design, the pop-under can perpetrate click fraud that is extremely difficult to detect. Detection is so difficult that click fraud protection software may not pick up on it. It takes someone with a serious amount of ad fraud skill and knowledge to analyze data well enough to detect the plug-in’s activity.

The security experts responsible for uncovering the scam say that, to the best of their knowledge, it has only affected a small number of WordPress sites thus far. That is the good news. The bad news is that other sites could be compromised. In addition, the plug-in and its associated pop-under are proof of concept demonstrating that other hackers could create similar plug-ins capable of the same things.

What WordPress Users Should Do

So, what should WordPress users do about this sort of thing? For starters, they should be very careful about using plug-ins. Plug-ins certainly make WordPress more usable and convenient. But they also aren’t as necessary as they appear to be. If there is any way to implement something without using a plug-in, site owners should do it. They should do it even if it means hiring a website developer who can write clean code rather than relying on plug-ins.

Next, website owners should invest in a click fraud protection software package like Fraud Blocker. A good piece of software can help identify and prevent click fraud by collecting and analyzing tons of data. As software packages become more sophisticated, they are capable of rooting out more instances of ad fraud.

The pop-under represents just the latest effort by scammers to commit ad fraud. It is not going away, so online advertisers have to be diligent about protecting themselves.

Leave a Reply