Researchers have successfully dismantled an extensive ad fraud scheme, known as VASTFLUX, that affected over 1,700 applications from 120 publishers and impacted around 11 million devices. According to fraud prevention firm HUMAN, VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack multiple invisible video ad players behind one another and register ad views.
The operation gets its name from the use of a DNS evasion technique called Fast Flux and VAST, a digital video ad-serving template that’s employed to serve ads to video players. The sophisticated campaign particularly targeted restricted in-app environments that run ads on iOS to place bids for displaying ad banners. If the auction was won, the hijacked ad slot was used to inject rogue JavaScript that established contact with a remote server to retrieve the list of apps to be targeted. This included the bundle IDs that belong to legitimate apps, allowing the attackers to conduct an app spoofing attack, in which a fraudulent app is disguised as a reputable app in an attempt to trick advertisers into bidding for the ad space.
The ultimate goal, according to Human, was to register views for as many as 25 video ads by layering them atop one another in a manner that is completely invisible to users, thereby generating illicit revenue. Additionally, the company stated that the actors behind the VASTFLUX scheme have an intimate understanding of the digital advertising ecosystem and have rendered an endless “playlist” of ads to defraud both the advertising companies and apps that show ads.
This takedown of VASTFLUX comes three months after the disruption of Scylla, another fraud operation that targeted advertising software development kits (SDKs) within 80 Android apps and 9 iOS apps published on the official storefronts. VASTFLUX, which generated over 12 billion bid requests per day at its peak, is just the latest in a series of ad fraud botnets that have been shut down in recent years, following 3VE, PARETO, and Methbot.