In the digital realm, malicious activities are not always visible or disruptive to an end user. Some, like the recently shut down VASTFLUX ad fraud scheme, operate in such a refined and concealed manner that users never even suspect they're the victims of an extensive cybercrime. VASTFLUX, an expansive ad fraud scheme that had spoofed more than 1,700 applications from 120 publishers and impacted approximately 11 million devices, was brought to an end thanks to the diligent work of cybersecurity researchers.
Deep Dive Into VASTFLUX
VASTFLUX was a classic case of malvertising. In this instance, fraudsters injected malicious JavaScript code into digital ad creatives, enabling them to stack multiple invisible video ad players behind one another and register ad views.
The scheme acquired its name from the combination of Fast Flux, a DNS evasion technique, and VAST (Video Ad Serving Template), a standard employed to serve ads to video players. This sophisticated operation exploited restricted in-app environments running ads on iOS devices, placing bids to display ad banners. Upon winning an auction, the hijacked ad slot would then be used to inject rogue JavaScript, establishing contact with a remote server to fetch the list of apps targeted.
In a clever maneuver, fraudsters utilized bundle IDs of legitimate apps for an app spoofing attack. They tricked advertisers into bidding for the ad space by passing off fraudulent apps as reputable ones.
The endgame? To register views for up to 25 video ads by layering them over each other, entirely unseen by the users, and generate illicit revenue. According to HUMAN, the fraud prevention firm that unearthed VASTFLUX, the loading of new ads continued until the ad slot containing the malicious ad code was closed.
Implications and Response in the Cybersecurity Space
Cybersecurity professionals, particularly those working within Cyber Security Operations Centers (CSOCs), must closely monitor these schemes. CSOCs are the frontline of defense against such ad fraud operations. They continually track, assess, and defend the cyber environment within an organization. With the advent of increasingly sophisticated ad fraud operations like VASTFLUX, Scylla, 3ve, PARETO, and Methbot, the vigilance of these teams is more critical than ever.
To mitigate and prevent such attacks, CSOCs employ various cybersecurity theories and practices. One such theory is the Defense-in-Depth (DiD) strategy, which advocates for multiple layers of security controls and countermeasures. Applying this in the context of ad fraud, organizations can incorporate measures such as stringent ad verification processes, regular audits of ad traffic, and the use of advanced machine learning algorithms to detect and prevent fraud.
Additionally, the use of threat intelligence feeds, which provide information about potential or current attacks threatening an organization, can be leveraged to monitor and counteract similar ad fraud schemes. The integration of such feeds into security information and event management (SIEM) systems, enables real-time analysis of security alerts, hence bolstering the organization's overall security posture.
Glossary
1. Malvertising: The use of online advertising to spread malware. 2. Fast Flux: A DNS technique used by botnets to hide phishing and malware delivery sites. 3. VAST (Video Ad Serving Template): A universal script for serving video ads that allows ad servers to use a single ad response across multiple publishers/platforms. 4. App Spoofing: A fraudulent practice where an app passes off as a highly-regarded app to trick advertisers into bidding for the ad space. 5. Defense-in-Depth (DiD): A strategy that applies multiple layers of defense to resist the progress of an attack. 6. SIEM (Security Information and Event Management): An approach to security management that provides a holistic view of an organization's information security. 7. Threat Intelligence Feed: A constant stream of information, often sourced from external sources, about current or potential threats that an organization might face.
Summary
The VASTFLUX ad fraud scheme, which spoofed over 1,700 apps and impacted around 11 million devices, demonstrated the potential harm of invisible threats lurking in the digital landscape. Exploiting the restricted in-app environments running ads on iOS, the scheme generated illicit revenue by stacking invisible ads and registering false views. The continuous vigilance of cybersecurity teams and the implementation of advanced preventive measures are crucial in combating such insidious threats.
Comments