A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says.
VastFlux, Human says, was an adaptation of an ad fraud scheme identified in 2020, targeting in-app environments that run ads, especially on iOS, and deploying code that allowed the fraudsters to evade ad verification tags.
At the first step of the fraudulent operation, an application would contact its primary supply-side partner (SSP) network to request a banner ad to be displayed.
Demand-side partners (DSPs) would place bids for the slot and, if the winner was VastFlux-connected, several scripts would be injected while a static banner image was placed in the slot.
The injected scripts would decrypt the ad configurations, which included a player hidden behind the banner and parameters for additional video players to be stacked. The script would also call to the command-and-control (C&C) server to request details on what to be displayed behind the banner.
The received instructions include both a publisher ID and an app ID that VastFlux would spoof. The size of the ads would also be spoofed and only certain third-party advertising tags were allowed to run inside the hidden video player stack.
What Human discovered was that as many as 25 ads could be stacked on top of one another, with the fraudsters receiving payment for all of them, although none would be shown to the user.
Additionally, the cybersecurity firm noticed that new ads would be loaded until the ad slot with the malicious ad code was closed.
“It’s in this capacity that VastFlux behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with,” Human notes.
From late June into July 2022, Human attempted to take down the scheme using three mitigation actions, which eventually resulted in the VastFlux traffic being reduced by more than 92%.
The cybersecurity firm says it has identified the fraudsters and worked with the victim organizations to mitigate the fraud, which resulted in the threat actors shutting down their C&C servers.
“As of December 6th, bid requests associated with VastFlux, which reached a peak of 12 billion requests per day, are now at zero,” Human says.