To avoid being detected—up to 25 simultaneous ad requests from one phone would look suspicious—the group used multiple tactics. They spoofed the advertising details of 1,700 apps, making it look like lots of different apps were involved in showing the ads, when only one was being used. Vastflux also modified its ads to only allow certain tags to be attached to adverts, helping it avoid detection.
Matthew Katz, head of marketplace quality at FreeWheel, a Comcast-owned ad tech company that was partly involved in the investigation, says attackers in the space are becoming increasingly sophisticated. “Vastflux was an especially complicated scheme,” Katz says.
The attack involved some significant infrastructure and planning, the researchers say. Edwards says Vastflux used multiple domains to launch its attack. The name Vastflux is based on “fast flux”—an attack type hackers use that involves linking multiple IP addresses to one domain name—and VAST, a template for video advertising, developed by a working group within the Interactive Advertising Bureau (IAB), that was abused in the attack. (Shailley Singh, executive vice president, product and chief operating officer at IAB Tech Lab, says using the VAST 4 version of its template can help prevent attacks like Vastflux, and other technical measures from publishers and ad networks would help reduce its effectiveness.) “It’s not the very simple kind of fraud scheme that we see all the time,” Habiby says.
The researchers refused to reveal who may be behind the Vastflux—or how much money they potentially made—citing ongoing investigations. However, they say they’ve seen the same criminals running advertising fraud efforts as far back as 2020
For now, at least, Vastflux has been stopped. In June of last year, Human Security and several companies it has partnered with to take action against ad fraud began actively combating the group and the attack. Three separate disruptions of Vastflux took place during June and July 2022, dropping the number of ad requests from the attack to under a billion per day. “We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud,” the company said in a blog post.
In December, the actors behind the attack took down the servers, and Human Security hasn’t seen any activity from the group since then. Tamer Hassan, the firm’s CEO, says there are multiple actions people can take against criminal actors, some of which may lead to law enforcement action. However, money matters. Stopping attackers from profiting will reduce the attacks. “Winning the economic game is how we win as an industry against cybercriminals,” Hassan says.
Update 11:55 am ET, January 19, 2023: Added comment from an IAB representative.