Researchers stopped an “expansive” ad fraud campaign that spoofed over 1,700 applications from 120 publishers and impacted about 11 million devices. “VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views,” stated a fraud prevention company HUMAN. The campaign gets its name from using Fast Flux, a DNS evasion method, and VAST, a Digital Video Ad Serving Template. The operation placed bids for the display of ad banners, specifically in the restricted in-app environments that run adverts on iOS. If the auction succeeds, the hijacked ad space injects malicious JavaScript that contacts a remote server to obtain the list of targeted apps. This includes the bundle IDs that belong to legal apps to launch an app spoofing attack, in which a fraudulent app passes off as a well-known app in an attempt to trick advertisers into bidding for the ad space. According to HUMAN, the ultimate goal was to register views for up to 25 video adverts by layering them on top of one another in a completely invisible way to the viewers and generating illegal income.