Security researchers have discovered a new “highly sophisticated” advertising scam affecting more than 11 million devices globally. Dubbed Vastflux, the brains behind this ad fraud spoofed over 1,700 apps and defrauded at least 120 ad publishers. The attack abused programmatic advertising, which is essentially automated online advertising.
Vastflux abused programmatic advertising in mobile devices
Every time you open an ad-supported app or website, you see several ads throughout it. But what you don’t see is the companies jostling for that ad space. It all happens behind the scenes. The ads that surface on the screen are selected through a series of automated instant auctions known as programmatic advertising. Ad publishers pay for each advertising slot they get in an app or website.
Since 25 ad requests from the same device at the same time would raise suspicions, the attackers spoofed the advertising details of 1,700 apps. This helped them make it look like the ad requests are coming from separate devices, i. e. from 25 different advertising slots. But in reality, they only purchased one ad slot and stacked multiple videos on it to defraud publishers. Vastflux also used several other tactics to avoid detection, such as the modification of ad tags.
At its peak in June last year, Vastflux made 12 billion ad requests per day. Since users only see one ad, they are highly unlikely to be suspicious about it. Their phones would consume more power and processor resources while using the affected apps as the devices have to process multiple videos simultaneously, but users would blame the app itself more than anything else. On top of this, the attack stops as soon as the ad disappears. This makes detection further difficult.
Researchers have disbanded this ad scam
Overall, Vastflux affected more than 11 million Android and iOS devices. Its creators may have made a sizable fortune by defrauding ad publishers with this scam. Researchers at Human Security discovered the scam in June last year and worked with its partners to disrupt the attack. After multiple disruptions, Vastflux creators took down the servers last month. But the same criminals reportedly ran advertising fraud in the past as well. So there’s every chance they would return with new tactics.
“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the Human Satori Threat Intelligence and Research Team, the team at clean.io, and the industry leaders who make up The Human Collective who are dedicated to making the programmatic ecosystem safe and human,” said Gavin Reid, CISO (chief information security officer) at Human Security.