Dubbed VASTFLUX, the ad fraud had 1,700 apps spoofed, targeting 120 publishers on 11 million devices with 12 billion ad requests per day.
The cybersecurity researchers at HUMAN Security Inc. have announced the takedown of a sophisticated, organized, and large-scale ad fraud operation dubbed VASTFLUX.
HUMAN Security is among the world’s leading firms offering advanced defences against digital attacks. Previously, the company reported large-scale scams involving iOS and Android devices, such as Scylla, PARETO, Methbot, and 3ve.
How was the Ad Fraud Discovered?
VASTFLUX is a combination of two terms that reflect its functionality. VAST represents the Digital Video Ad Serving Template exploited in this operation. The name Flux is inspired by the Fast Flux concept, which is an evasion tactic used by cybercriminals.
Team Satori from HUMAN discovered the operation when investigating an iOS application, which was heavily impacted by an app spoofing attack.
The researchers found it a highly sophisticated scheme in which cybercriminals exploited the limited signal available to the verification partners in their targeted environment, including in-app advertising mainly on iOS.
The ad fraud later evolved into spoofing bids on a particular platform to make them appear on another platform. This made cross-platform attacks impossible to deter. HUMAN worked with its partners in the HUMAN Collective to obtain further information into the fraud’s traffic volumes and verification tags used on their ads.
The team deployed three mitigation methods within two weeks to protect users from VASTFLUX before taking it down.
Targeted Entities
According to a blog post shared by HUMAN with Hackread.com, the fraudulent operation accounted for over 12 billion fake ad requests per day and affected around 11 million devices by running ads within apps. For this purpose, the perpetrators spoofed 1,700 apps targeting around 10 publishers.
This is HUMAN’s Satori Threat Intelligence and Research Team’s highest per day volume of an operation uncovered by this team. It even eclipsed Human’s previously discovered peak volumes in high-profile disruptions. This includes PARETO, Methbot, and 3ve.
How Did the Attack Work?
The attackers injected malicious JavaScript code into digital ads, which let fraudsters stack dozens of video ads upon each other and register views for ads that the user couldn’t see. HUMAN shut down this operation via a private takedown effort and protected the programming advertising ecosystem. However, the company is still monitoring its operations.
The company’s CISO, Gavin Reid, stated that VASTFLUX was a “technically impressive and incredibly concerning” operation because the fraudsters hijacked impressions of authentic apps, making it difficult for users to feel suspicious.
“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The HUMAN Collective who are dedicated to making the programmatic ecosystem safe and HUMAN,” Reid said.