HUMAN Researchers Take Down A Giant Ad Fraud Campaign Affecting Millions Of iOS Devices
A massive ad fraud campaign has shut down after undergoing mitigation efforts organized by HUMAN, cybersecurity firm that works to distinguish human beings from bots for the purpose of disrupting cybercrime. The ad fraud campaign, dubbed “VASTFLUX” by members of HUMAN’s Satori Threat Intelligence and Research Team, targeted iOS devices by serving static app banner ads containing malicious JavaScript. The malicious script requested up to twenty-five video ads, then layered them atop one another underneath the original static banner ad to generate excess ad revenue for the fraudsters.
The researchers discovered this fraud campaign while analyzing the network traffic going to and from an iOS device running a single app. Despite the fact that a single app was active on the device, the team observed dozens of advertising bid requests with different app identification numbers. Upon investigating this unexpected phenomenon, the researchers found that the app in question was displaying a malicious banner ad.
This ad injected scripts that created a video ad player behind the banner ad and reached out to a command-and-control (C2) server controlled by the fraudsters. The C2 server transmitted additional instructions, which were obfuscated to avoid detection. Once decrypted and reassembled, these instructions listed spoofed IDs for legitimate apps and publishers. The original malicious banner ad then used these spoofed IDs to request video ads, which were hidden from view underneath the banner ad. As long as the banner ad stayed active, it continued to request new video ads, layering up to twenty-five video ads at once and replacing each video ad when it finished playing.
The researchers discovered this fraud campaign while analyzing the network traffic going to and from an iOS device running a single app. Despite the fact that a single app was active on the device, the team observed dozens of advertising bid requests with different app identification numbers. Upon investigating this unexpected phenomenon, the researchers found that the app in question was displaying a malicious banner ad.
This ad injected scripts that created a video ad player behind the banner ad and reached out to a command-and-control (C2) server controlled by the fraudsters. The C2 server transmitted additional instructions, which were obfuscated to avoid detection. Once decrypted and reassembled, these instructions listed spoofed IDs for legitimate apps and publishers. The original malicious banner ad then used these spoofed IDs to request video ads, which were hidden from view underneath the banner ad. As long as the banner ad stayed active, it continued to request new video ads, layering up to twenty-five video ads at once and replacing each video ad when it finished playing.
This fraudulent ad behavior uses up device resources in the background while generating ad revenue for the fraudsters. Once the researchers discovered this ad fraud technique, they went on to discover a massive ad fraud campaign leveraging this technique. The researchers named the ad fraud campaign “VASTFLUX” in reference to the scheme’s abuse of the Digital Video Ad Serving Template (VAST) and the fast flux evasion technique, which can hide malicious domains by rapidly changing IP addresses and DNS records.
The team determined that the fraudsters issued more than 12 billion ad requests a day at the campaign’s peak, placing malicious ads on roughly eleven million devices using spoofed credentials of over 1,700 apps and 120 publishers. HUMAN then coordinated with publishers whose identification numbers were being spoofed in this campaign to conduct three major mitigation operations. These mitigation measures culled the fraudulent ad bid requests, ultimately driving the fraudsters to shut down the campaign. That said, the researchers caution us not to conclude that VASTFLUX is dead forever. This ad fraud scheme demonstrated sophistication on the part of the fraudsters, and they may already be developing their next campaign.
The team determined that the fraudsters issued more than 12 billion ad requests a day at the campaign’s peak, placing malicious ads on roughly eleven million devices using spoofed credentials of over 1,700 apps and 120 publishers. HUMAN then coordinated with publishers whose identification numbers were being spoofed in this campaign to conduct three major mitigation operations. These mitigation measures culled the fraudulent ad bid requests, ultimately driving the fraudsters to shut down the campaign. That said, the researchers caution us not to conclude that VASTFLUX is dead forever. This ad fraud scheme demonstrated sophistication on the part of the fraudsters, and they may already be developing their next campaign.
