The fake ad space campaign spoofed 1,700 applications

by James · January 23, 2023

Cybersecurity firm Human has shut down a fraud campaign that targeted online advertising sites, but not before spoofing 1,700 legitimate apps and infecting 11 million devices.

Satori’s human threat intelligence team said the illegal operation, dubbed VastFlux, pumped out 12 billion requests a day before it was shut down.

For perspective, that’s 1.5 requests per person on the entire planet, and the United Nations recently put the world’s population at over 8 billion.

Interestingly, the intended victims were not the end users, who never actually saw the ads, but the advertisers themselves, who were forced to pay for unfulfilled ad impressions.

“The fraudsters behind Operation VastFlux have an intimate knowledge of the digital advertising ecosystem,” Human said. “Ad verification tags were bypassed, making the system difficult to find.”

Table of Contents

They stumbled upon something big

Satori said it stumbled upon the ad campaign when it was investigating a popular app targeted by a spoofing attack and noticed abnormal web traffic passing through it, before uncovering VastFlux during a subsequent investigation.

“The team put together an extensive malicious advertising operation where the bad actors injected JavaScript into the ads they served, then stacked a bunch of video players on top of each other and got paid for each ad, when none of them were visible to the person using the device,” Human said.

The campaign primarily targeted in-app advertising services running on Apple’s iOS system, targeting 120 publishers and 1,700 apps.

“Perhaps one of the scariest and most sophisticated aspects of VastFlux is the way it targets the ad slots themselves,” Human said. “Previous fraud schemes uncovered by Satori’s team could be prevented by simply not allowing the collection of fraudulent apps to proliferate. But VastFlux goes right after the ad slot, so completely legitimate apps can show VastFlux-related ads.”

Why are apps more prone?

“In the world of ad tech, there are significant differences between how and where ads are served,” added Human. “Typically, ads that run within apps provide less information to verification providers than ads that run on pages visited in a browser.”

According to Human, fraudsters are looking to take advantage of this lack of data and target more restricted ad platforms in the hope that their systems will remain undetected for longer.

“The actors behind Operation VastFlux […] it targeted not only in-app ads, but also in-app ads on iOS, where the environment is particularly strict due to Apple’s latest privacy policies,” Human said.

A battle won, but not the war

Between June and July, Satori started decommissioning the VastFlux plant. The team’s first shot was repulsed by the threat actors, but on the second day they reduced their attacks to “merely” a billion requests. Satori’s third attempt proved his magic, further reducing the number.

But Human cautions that this doesn’t mean the cybercriminals behind VastFlux are done — far from it.

“As we built defenses into our defense platform and worked to get the C2s [cybercriminal command and control centers] shut down, we cannot assume that the actors behind VastFlux will simply go quietly into the night,” Human said. “If there’s money to steal, they’ll still try to find a way around any protections we’ve put in place. The actors in this case are particularly sophisticated.”