New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Ad Fraud Campaign Targeted Over 11 Million Devices

Researchers stopped an “expansive” ad fraud campaign that spoofed over 1,700 applications from 120 publishers and impacted about 11 million devices. “VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views,” stated a fraud prevention company HUMAN. The campaign gets its name from using Fast Flux, a DNS evasion method, and VAST, a Digital Video Ad Serving Template. The operation placed bids for the display of ad banners, specifically in the restricted in-app environments that run adverts on iOS. If the auction succeeds, the hijacked ad space injects malicious JavaScript that contacts a remote server to obtain the list of targeted apps. This includes the bundle IDs that belong to legal apps to launch an app spoofing attack, in which a fraudulent app passes off as a well-known app in an attempt to trick advertisers into bidding for the ad space. According to HUMAN, the ultimate goal was to register views for up to 25 video adverts by layering them on top of one another in a completely invisible way to the viewers and generating illegal income.

Analyst Notes

“It doesn’t stop with the stacked ads, though. For as many of those as might be rendering on a user’s device at once, they keep loading new ads until the ad slot with the malicious ad code is closed. The actors behind the VASTFLUX scheme clearly have an intimate understanding of the digital advertising ecosystem,” stated the company. In order to mislead both the advertising companies and the applications that display adverts, the campaign also produced an endless “playlist” of advertisements. VASTFLUX’s takedown comes three months after Scylla’s disruption, a fraud operation targeting advertising Software Development Kits (SDKs) within 80 Android apps and 9 iOS apps released on the official stores. VASTFLUX was also involved in the most recent ad fraud botnet that has been stopped in recent years after 3ve, PARETO, and Methbot.