Share this article on:
A massive ad fraud campaign that took advantage of over 10 million devices, particularly iOS ones, was recently discovered and dismantled by researchers at HUMAN Security’s Satori Threat Intelligence team.
The researchers spotted an iOS app that was undergoing an ad-spoofing attack — when they took an infected device into their lab, they were able to see what was really going on.
And it was a lot.
The network — which the researchers dubbed VASTFLUX, after the way the criminals hid themselves and the digital video ad serving template they were taking advantage of — was found to be spoofing both the ad’s publisher ID and the app ID. Any successful bids to run ads from unsuspecting partners could be taken advantage of by a JavaScript injection, which is where things get tricky.
The banner ad would be displayed to a user, but underneath it were more video ads, playing constantly in the background but without delivering any real impressions. The VASTFLUX network was capable of stacking up to 25 videos behind a banner ad, making money from each of them without even being seen.
What’s more, each individual video player runs a whole playlist of ad videos.
“The Satori team found VASTFLUX by digging deep into the data: while examining traffic to and from a frequently-misrepresented app in search of evidence for a different fraud scheme altogether, the team noticed that what they were expecting to see did not match what they were seeing,” the team said in a blog post. “Only one app was running on the device in the Satori lab, but dozens of bid requests with varying app IDs were being recorded.
“It’s a classic sign of app spoofing, and it was happening on the device every few seconds.”
At the network’s peak, it was making 12 billion ad bids per day.
The researchers at Satori then set about dismantling the scheme, working with other researchers and customers that were being taken advantage of by the fraudulent ad networks.
The fraudulent ad network has now gone quiet, and the Satori team believes the command and control nodes running it have been shut down. But possibly not for long, as the team believes hackers this skilled will find another way to run their scheme.
They are watching this space.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.