News Hub

VastFlux ad-fraud scheme affecting millions taken down by HUMAN

Written by 4 days ago

HUMAN Security, a global cybersecurity leader, has successfully taken down one of the biggest ad fraud operations known as VastFlux.

The scheme made spoofs of 1,700 applications and targeted 120 publishers. In total, more than 11 million devices were impacted, with a peak volume of 12 billion false ad requests per day.

“What was technically impressive and incredibly concerning about VastFlux was the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted,” said Gavin Reid, HUMAN’s newly-appointed CISO.

This is the biggest operation uncovered by HUMAN’s Satori Threat Intelligence and Research Team. VastFlux was discovered while investigating an iOS app that was heavily impacted by an app spoofing attack.

Cybercriminal organisations exploited in-app advertising, as verification partners have limited signal available in this environment. This was also bolstered by spoofing 1,700 apps to diversify sellable inventory.

HUMAN launched three waves of targeted mitigation action between June and July 2022. Each wave cut VastFlux traffic dramatically. As of 6 December 2022, the threat actors have gone quiet and C2 servers powering VastFlux are down, resulting in zero requests.

The private takedown by the team ensured that the entire programmatic advertising ecosystem was protected.

The takedown of the VastFlux operation comes just three months after the Satori Team announced the disruption of Scylla, a fraud operation targeting advertising software development kits (SDKs) within 9 apps on the Apple App Store and 80 Android apps on the Google Play Store, which collectively were downloaded more than 13 million times.

VastFlux gets its name from a portmanteau, combining VAST, an ad-serving template used to serve ads to video players with an evasion technique known as “fast flux”. This type of fraud makes bids to display advertisement banners within an app. If it wins, a static banner image will be placed in the app with obfuscated JavaScript injected into it. Hidden behind the image is a single or stacked video adverts that generate revenue per view without the user seeing anything untoward.

Since VastFlux targets ad slots within legitimate apps, developers should build with OM SDK to support verification, while ad tech platforms are encouraged to prioritise tag evasion mitigation tactics with fraud detection partners.

Users are also advised to stay vigilant by keeping an eye on how their devices react. Fast degrading of battery life, a screen turning on at unexpected times, sudden performance drops, frequent app crashes, and dramatic data use increases can all be signs of schemes like VastFlux.

Join Cloud & Cyber Security Expo

8-9 March 2023, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by 4 days ago

Send us a correction Send us a news tip