HUMAN Discovers and Shuts Down Massive Ad Fraud Scheme

Mobile advertising is big business, and where money flows, fraudsters follow. 

Last year, advertisers spent over $327 billion targeting users as they engaged with popular mobile apps, but as HUMAN Security announced yesterday, a chunk of that spending went into the pockets of fraudsters who successfully launched a massive ad fraud scheme.

HUMAN discovered the highly sophisticated scheme last summer. Dubbed VASTFLUX (a combination of fast flux, an evasion technique used by cybercriminals, and VAST, which the criminals exploited to perpetrate this crime). 

Massive Ad Fraud Scheme

In this multistep fraud, attackers purchased mobile inventory via programmatic exchanges and then injected malicious JavaScript code. That code allowed the attackers to stack as many as 25 video ads on top of one another, enabling the fraudsters to register multiple ad views. All ads, of course, were completely invisible to the user, which was instrumental in evading detection.

“What was technically impressive and incredibly concerning about VASTFLUX was the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted,” said Gavin Reid, HUMAN’s newly-appointed CISO, in a statement.

HUMAN discovered VASTFLUX as its data scientists were investigating an entirely different threat. VASTFLUX managed to spoof some 1,700 apps, target 120 publishers, and run ads on 11 million devices.  At its peak, the fraud accounted for more than 12 billion fraudulent ad requests per day.

“It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible,” Marion Habiby, a data scientist at Human Security, told Wired.

A Bot Economy

Thanks to their ability to mimic human behavior, bots are a favored and prolific tool of cybercriminals. Tamer Hassan, CEO and Co-Founder of HUMAN Security says bots are used in 77% of all digital attacks. 

“What’s especially important to understand is there is a bot economy that supports sophisticated organized criminal activity, allowing anyone to buy bots. This allows bad actor groups to function like legitimate businesses and fund other criminal schemes.” 

For instance, his company has seen:

  • Botnets leased or even franchised similar to the way other SaaS products are marketed and sold. 
  • Customer success services complete with customized solutions and 24/7 support via encrypted chat rooms.
  • Marketplaces for everyday users – not sophisticated cybercriminals – to purchase bot support to secure coveted items like tickets, sneakers, etc.

As a result of this economy, malicious actors, such as those behind VASTFLUX, can easily develop, deploy and adapt botnets in order to bilk advertisers while evading detection. 

According to Hassan, the ultimate goal is to eliminate the financial incentive for these schemes, and effort that will require cooperation among everyone in the industry.

“We need to change our approach and embrace modern defense as a core framework for effective intra-industry and public-private collaboration. This approach goes after the economics of cybercrime, ultimately making schemes like VASTFLUX unprofitable while collective protection lowers the cost of defense. Winning the economic game is how we win as an industry against cybercriminals.”