HUMAN’s Satori Threat Intelligence and Research Team dismantled a sophisticated ad fraud operation dubbed VASTFLUX.
The name VASTFLUX comes from the evasion technique “fast flux” and VAST, the Digital Video Ad Serving Template that was abused by threat actors in this fraudulent scheme.
The researchers estimated that VASTFLUX accounted for more than 12 billion bid requests a day. The malvertising campaign spoofed more than 1,700 apps and 120 publishers and targeted nearly 11 million devices.
According to the experts, the VASTFLUX operators have a deep understanding of the digital advertising ecosystem. The threat actors evaded ad verification tags to avoid detection.
“HUMAN’s Satori Threat Intelligence and Research Team uncovered and took down a sophisticated ad fraud operation we’ve dubbed VASTFLUX. This private takedown of an expansive and complex threat embodies the power of modern defense and collective protection.” reads the report published by HUMAN. “VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views.”
VASTFLUX exploited the restricted in-app environments that run ads, particularly on iOS, to place bids and display malicious ad banners.
Experts reported that several demand-side partners (DSPs) place a bid for the ad slot, in this case, when the bid was won by VASTFLUX, the purchasing/bidding ad server placed a static banner image in the slot and inject multiple malicious scripts.
