© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Bogus ad slot campaign spoofed 1,700 apps


A fraud campaign that targets online advertising slots has been taken down by cybersecurity firm Human – but not before it spoofed 1,700 legitimate apps and infected 11 million devices.

Human’s threat intelligence team Satori said the illegal operation, which it nicknamed VastFlux, was pumping out a staggering 12 billion requests daily before it was stopped.

To put that in perspective, that is 1.5 requests per person on the entire planet, with the global population recently estimated as topping 8 billion by the United Nations.

Intriguingly, the intended victims were not end-users, who in fact never saw the ads, but advertisers themselves who were conned into paying out for ad impressions that were not delivered.

“The fraudsters behind the VastFlux operation have an intimate understanding of the digital advertising ecosystem,” said Human. “They evaded ad verification tags, making it harder for this scheme to be found.”

They stumbled on to something big

Satori said it stumbled across the ad campaign while checking out a popular app that had been targeted by a spoofing attack, detecting abnormal web traffic passing through it before uncovering VastFlux during a subsequent investigation.

“What the team pieced together was an expansive malvertising operation in which the bad actors injected JavaScript into ad creatives they issued, and then stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device,” said Human.

The campaign primarily targeted in-app advertising services running on Apple’s iOS system, impersonating 120 publishers and 1,700 applications.

“Perhaps one of the scariest – and most sophisticated aspects of VastFlux is how it targets the ad slots themselves,” said Human. “Earlier fraud schemes uncovered by the Satori team could be stymied by simply not allowing a collection of fraudulent apps to proliferate. But VastFlux goes directly after the ad slot, so apps that are perfectly legitimate may end up showing VastFlux-related ads.”

Why apps are more prone

“In the world of advertising technology, there are substantial differences in how and where ads are delivered,” added Human. “In general, ads that run within apps pass less information to verification providers than ads that run on pages visited within a web browser.”

Human says fraudsters seek to capitalize on this shortfall in data provision, targeting more restricted advertising platforms in the hope of their scheme evading detection for longer.

“The actors behind the VastFlux operation [...] targeted not just in-app advertising, but in-app advertising on iOS, where the environment is especially strict due to Apple’s latest privacy policies,” said Human.

A battle won, but not the war

Between June and July, Satori set to work dismantling the VastFlux operation. The team’s first salvo was repulsed by the threat actors, but the second cut their attacks down to a ‘mere’ billion requests per day. The third attempt by Satori proved the charm, reducing the number even further.

But Human warns that this does not mean the cybercriminals behind VastFlux are done – in fact, far from it.

“While we’ve built protections into our defense platform and worked to get the C2s [cybercriminal command and control centers] shut down, we cannot assume the actors behind VastFlux will simply go quietly into the night,” said Human. “If there’s money available to be stolen, they’re going to keep trying to find ways against every protection we’ve built. The actors in this case are particularly sophisticated.”


More from Cybernews:

Grief tech: I pretended to have died and talked to my loved ones from my grave

Spotify plans layoffs

Social engineering attack halts production at Riot Games

T-Mobile hack: 37M customers compromised

ChatGPT vs Google

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked