At its peak, VASTFLUX accounted for more than 12 billion fraudulent ad requests a day, impacting nearly 11 million devices
Dubbed VASTFLUX, the name is derived from the concept of “fast flux,” an evasion technique used by cybercriminals, and VAST, the Digital Video Ad Serving Template that was exploited in this operation. This is the biggest operation uncovered by HUMAN’s Satori Threat Intelligence and Research Team, with a peak of more than 12 billion ad requests a day, reaching the highest per-day volume of any operation uncovered by the Satori team and eclipsing the peak volumes of HUMAN’s previous high-profile disruptions, including Methbot, PARETO and 3ve. This operation has been shut down through a private takedown led by HUMAN, protecting the entire programmatic advertising ecosystem from this cybercriminal organization. HUMAN continues to monitor the VASTFLUX operators.
“What was technically impressive and incredibly concerning about VASTFLUX was the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted,” said Gavin Reid, HUMAN’s newly-appointed CISO. “Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The Human Collective who are dedicated to making the programmatic ecosystem safe and human.”
The Satori team found VASTFLUX while investigating an iOS app that was heavily impacted by an app spoofing attack. VASTFLUX is a very sophisticated scheme, exploiting the limited signal available to verification partners in the environment they targeted: in-app advertising, particularly on iOS. VAST fraud has evolved to spoofing bids in one platform to make them appear in another platform, which makes these cross platform attacks a formidable foe.
HUMAN worked closely with its partners in the Human Collective to get additional insight into traffic volumes and verification tags they were using on their ads. Within a two-week period, HUMAN’s Satori Team deployed three distinct mitigation measures to protect customers from VASTFLUX, followed by the private takedown.
The takedown of the VASTFLUX operation comes just three months after the Satori Team announced the disruption of Scylla, a fraud operation targeting advertising software development kits (SDKs) within 9 apps on the Apple App Store and 80 Android apps on the Google Play Store, which collectively were downloaded more than 13 million times.
VASTFLUX’s sophistication underscores a crucial element of modern defense, enabling us to disrupt the economics of cybercrime by increasing the costs to cybercriminals while simultaneously reducing the cost of collective protection. The more we in the industry work together, the harder cybercriminals will have to work to make any particular scheme stick for a meaningful amount of time.
To learn more about the VASTFLUX operation, visit the HUMAN blog, or read the full technical report.
HUMAN is a cybersecurity company that safeguards 1,200+ brands from digital attacks including bots, fraud and account abuse. We leverage modern defense to disrupt the economics of cybercrime by increasing the cost to cybercriminals while simultaneously reducing the cost of collective defense. Today we verify the humanity of more than 20 trillion digital interactions per week across advertising, marketing, e-commerce, government, education and enterprise security, putting us in a position to win against cybercriminals. Protect your digital business with HUMAN. To Know Who’s Real, visit www.humansecurity.com.