Every time you open an app or website, a flurry of invisible processes takes place without you knowing. Behind the scenes, dozens of advertising companies are jostling for your attention: They want their ads in front of your eyeballs. For each ad, a series of instant auctions often determines which ads you see. This automated advertising, often known as programmatic advertising, is big business, with $418 billion spent on it last year. But it’s also ripe for abuse.
Security researchers today revealed a new widespread attack on the online advertising ecosystem that has impacted millions of people, defrauded hundreds of companies, and potentially netted its creators some serious profits. The attack, dubbed Vastflux, was discovered by researchers at Human Security, a firm focusing on fraud and bot activity. The attack impacted 11 million phones, with the attackers spoofing 1,700 app and targeting 120 publishers. At its peak, the attackers were making 12 billion requests for ads per day.
“When I first got the results for the volume of the attack, I had to run the numbers multiple times,” says Marion Habiby, a data scientist at Human Security and the lead researcher on the case. Habiby describes the attack as both one of the most sophisticated the company has seen and the largest. “It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible,” Habiby says.
Online and mobile advertising is a complex, often murky business. But it generates piles of money for those involved. Every day billions of ads are placed on websites and in apps—advertisers or ad networks pay to have their ads displayed and make money when people click on them or see them—and much of this is done as you open a website or an app.
Vastflux was first detected by Human Security researcher Vikas Parthasarathy in the summer of 2022 while he was investigating a different threat. Habiby says operating the fraud involved multiple steps, and the attackers behind it took a range of measures to avoid being caught out.
First, the group behind the attack—which Human Security hasn’t named due to ongoing investigations—would target popular apps and try to buy an advertising slot within them. “They were not trying to hijack an entire phone, or an entire app, they were literally going through one ad slot,” Habiby says.
Once Vastflux won the auction for an ad, the group would insert some malicious JavaScript code into that ad to stealthily allow multiple video ads to be stacked on top of each other.
Put simply, the attackers were able to hijack the advertising system so that when a phone was displaying an ad within an affected app, there would actually be up to 25 ads placed on top of each other. The attackers would get paid for each ad, and you would only see one ad on your phone. However, your phone battery would drain faster than usual as it processed all the fraudulent ads.
“It’s quite genius because the minute the ad disappears, your attack stops, which means that you’re not going to be found easily,” Habiby explains.
The scale of this was colossal: In June 2022, at the peak of the group’s activity, it made 12 billion ad requests per day. Human Security says the attack primarily impacted iOS devices, although Android phones were also hit. In total, the fraud is estimated to have involved 11 million devices. There is little device owners could have done about the attack, as legitimate apps and advertising processes were impacted.
Google spokesperson Michael Aciman says the company has strict policies against “invalid traffic” and there was limited Vastflux “exposure” on its networks. “Our team thoroughly evaluated the report’s findings and took prompt enforcement action,” Aciman says. Apple did not respond to WIRED's request for comment.
Mobile ad fraud can take many different forms. This can range, as with Vastflux, from types of ad stacking and phone farms to click farms and SDK spoofing. For phone owners, batteries dying quickly, large jumps in data use, or screens turning on at random times could be signs a device is being impacted by ad fraud. In November 2018, the FBI’s biggest ad fraud investigation charged eight men with running two notorious ad fraud schemes. (Human Security and other technology companies were involved in the investigation.) And in 2020, Uber won an ad fraud lawsuit after a company it hired to get more people to install its app did so through “click flooding.”
In the case of Vastflux, the biggest impact of the attack was arguably on those involved in the sprawling advertising industry itself. The fraud affected both advertising companies and apps that show ads. “They were trying to defraud all these different groups along the supply chain, with different tactics against very different ones,” says Zach Edwards, a senior manager of threat insights at Human Security.
To avoid being detected—up to 25 simultaneous ad requests from one phone would look suspicious—the group used multiple tactics. They spoofed the advertising details of 1,700 apps, making it look like lots of different apps were involved in showing the ads, when only one was being used. Vastflux also modified its ads to only allow certain tags to be attached to adverts, helping it avoid detection.
Matthew Katz, head of marketplace quality at FreeWheel, a Comcast-owned ad tech company that was partly involved in the investigation, says attackers in the space are becoming increasingly sophisticated. “Vastflux was an especially complicated scheme,” Katz says.
The attack involved some significant infrastructure and planning, the researchers say. Edwards says Vastflux used multiple domains to launch its attack. The name Vastflux is based on “fast flux”—an attack type hackers use that involves linking multiple IP addresses to one domain name—and VAST, a template for video advertising, developed by a working group within the Interactive Advertising Bureau (IAB), that was abused in the attack. (Shailley Singh, executive vice president, product and chief operating officer at IAB Tech Lab, says using the VAST 4 version of its template can help prevent attacks like Vastflux, and other technical measures from publishers and ad networks would help reduce its effectiveness.) “It’s not the very simple kind of fraud scheme that we see all the time,” Habiby says.
The researchers refused to reveal who may be behind the Vastflux—or how much money they potentially made—citing ongoing investigations. However, they say they’ve seen the same criminals running advertising fraud efforts as far back as 2020. In that instance, the ad fraud scheme was targeting US swing states and allegedly collecting users’ data.
For now, at least, Vastflux has been stopped. In June of last year, Human Security and several companies it has partnered with to take action against ad fraud began actively combating the group and the attack. Three separate disruptions of Vastflux took place during June and July 2022, dropping the number of ad requests from the attack to under a billion per day. “We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud,” the company said in a blog post.
In December, the actors behind the attack took down the servers, and Human Security hasn’t seen any activity from the group since then. Tamer Hassan, the firm’s CEO, says there are multiple actions people can take against criminal actors, some of which may lead to law enforcement action. However, money matters. Stopping attackers from profiting will reduce the attacks. “Winning the economic game is how we win as an industry against cybercriminals,” Hassan says.
Update 11:55 am ET, January 19, 2023: Added comment from an IAB representative.