A sophisticated advertising scam faked more than 1,700 apps and affected 11 million phones
researchers of a company specializing in fraud dismantled a sophisticated ad scam operation in which more than 1,700 applications and that affected some 11 million people.
VASTFLUXas the attack is known, was discovered by the company human safetywhich detailed the operation in a statement on its website.
“HUMAN Security, Inc., a world leader in protecting businesses from digital attacks with a modern defense, today announced the takedown of a sophisticated ad fraud operation in which more than 1,700 apps were spoofed, targeting 120 publishers, serving in-app ads on nearly 11 million devices and peaking at a volume of 12 billion ad requests per day. The attack injected code javascript malicious in digital ads, allowing scammers to stack dozens of video ads on top of each other and record ad views completely invisible to the user.
The company explained that the name, VASTFLUX, “derives from the concept of fast flux, an evasion technique used by cybercriminals, and from VAST, the digital video ad delivery template used in this operation.” . He also confirmed that it is the largest operation discovered by Human Security’s threat intelligence and research team.
“When I got the first results on the volume of the attack, I had to do the calculations several times,” he said. Marion HabibyHuman Security data scientist and main investigator of the case, in statements to the British media Wired.
“It is clear that the cybercriminals were well organized and they did their best to avoid detectionmaking sure the attack lasted as long as possible and generated as much money as possible,” he added.
The maximum person in charge of ensuring the cybersecurity of the company, Gavid Reidnoted that “what was technically impressive and incredibly worrying about VASTFLUX was that scammers hijacked impressions on legitimate appswhich makes it almost impossible for users to know if they are affected”.
According to Wiredthe attack was first detected by the researcher of Vikas Parthasarathy in the boreal summer of 2022. Habiby explained to the outlet that the fraud had several steps and that those responsible took a series of measures to avoid being discovered.
VASTFLUX was targeted at popular applications and tried to buy an ad space in them. “They weren’t trying to hijack an entire phone or an entire app, they were literally going after ad space,” Habiby added.
The team discovered the attack while investigating an iOS app that had been severely affected by an app phishing attack. “VASTFLUX is a scheme very sophisticated, which exploits the limited signal available to verification partners in the environment they were targeting: in-app advertising, especially on iOS. VAST fraud has evolved to the spoofing offers on one platform to appear on anotherwhich makes these cross-platform attacks a formidable enemy,” the Human Security statement said.
Wired explains that once VASTFLUX won an ad auction, cybercriminals they inserted malicious JavaScript code into that ad to allow it to stack multiple ads video one on top of another.
In other words, VASTFLUX was capable of hijacking the advertising system so that when a phone displayed an ad within an affected application, they were actually 25 ads placed one on top of the other. According to Wiredthe attackers charged for each ad and the user only saw one on his phone.
VASTFLUX in numbers
– The operation peaked at 12 billion fraudulent ad requests in one day
– 11 million devices with ads in apps attacked by VASTFLUX
– More than 1,700 counterfeit apps by VASTFLUX on all platforms
– More than 120 publishers were attacked
– VASTFLUX could stack up to 25 ads on top of each other and charge for each one, without actually showing any
Keep reading:
