Investigators: Nico Agnese, Maor Elizen, Marion Habiby, Ryan Joye, Vikas Parthasarathy, Adam Sell, Mikhail Venkov
In this post:
Any good raconteur will tell you the best stories often happen when you’re not specifically looking for them. Such is the case with the Satori Threat Intelligence and Research Team’s latest takedown of a scheme we’ve dubbed VASTFLUX. The team came across unexpected web traffic patterns passing through a popular app, and while digging through that app, the Satori team uncovered a rabbit hole that got deeper and deeper the more they explored.
What the team pieced together was an expansive malvertising operation in which the bad actors injected JavaScript into ad creatives they issued, and then stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device.
The now-defunct VASTFLUX is an apparent adaptation of an earlier ad fraud scheme first reported in 2020. VASTFLUX evaded ad verification tags, deploying code that prevented detection of the scheme.
VASTFLUX was a very sophisticated scheme, exploiting the restricted in-app environments that run ads, particularly on iOS. More than 1,700 apps and 120 publishers were spoofed in the course of the operation, reaching a peak volume of 12 billion ad requests a day and impacting nearly 11 million devices.
VASTFLUX’s sophistication underscores a crucial element of collective protection: the more we in the industry work together, the harder cybercriminals will have to work to make any particular scheme stick for a meaningful amount of time. To that end, VASTFLUX was dismantled through the private collaborative efforts of HUMAN, its customers, and members of the Human Collective. The Satori team will continue to track the bad actors behind the scheme and watch for new schemes like VASTFLUX, and will share further information about the bad actors with the appropriate authorities.
If you’re a typical user, you may think to yourself, “ads are ads. It doesn’t particularly matter how they got onto my phone or what I’m doing when they arrive; they’re just there.” But in the world of advertising technology, there are substantial differences in how and where ads are delivered: in general, ads that run within apps pass less information to verification providers than ads that run on pages visited within a web browser. That information gap is appealing to fraudsters: they may target advertising opportunities that run in these more restricted environments with the hope that it will take longer for their scheme to be spotted and stopped by companies like HUMAN. The actors behind the VASTFLUX operation knew this, and targeted not just in-app advertising, but in-app advertising on iOS, where the environment is especially strict due to Apple’s latest privacy policies.
The Satori team found VASTFLUX while investigating an iOS app that was heavily impacted by an app spoofing attack. While we could, at the time, see that the traffic wasn’t what it claimed to be, we didn’t see why until we ran the same app on a device inside our Satori lab. Once we did that, the VASTFLUX-associated traffic presented itself, allowing us to dig deeper into what was going on.
The first step in the VASTFLUX operation is for a targeted app to reach out to its primary supply-side partner (SSP) network for a banner ad (a 320 x 50 banner) to be displayed within the app. Several demand-side partners (DSPs) place a bid for the ad slot. If the winning bid is VASTFLUX-connected, the purchasing/bidding ad server will place a static banner image in the slot and inject several scripts:
Example of obfuscated JS extracted from a Javascript file
Source: Satori Threat Intelligence and Research Team
The injected scripts decrypt the ad configurations (the above screenshot). These configurations include a static banner image to put in the ad slot, a single video ad player hidden behind the banner image, and a series of additional parameters for more stacked video players. The script then calls home to a command-and-control (C2) server for further information on what to place behind that static banner image.
Below, the Satori team has decrypted a configuration with C2 instructions:
Decrypted configuration object served with the bad ad code
Source: Satori Threat Intelligence and Research Team
The decrypted instructions here give a sense of how the most critical element of the fraud scheme actually works, but they still contain a hint of subterfuge. (Note: portions of screenshots throughout this report are redacted to preserve research leads for continued investigation.)
Two important parts of the instruction are broken in half and only reassembled later. Notice the “u”, “z”, “b”, and “n” fields in the screenshot above. When combined, the “u” and “z” fields make a publisher ID that the VASTFLUX apps spoof, and the “b” and “n” fields make an app ID that the VASTFLUX apps spoof. It’s a relatively subtle mechanism for hiding the fraudsters’ targets from cursory searches of their code. Notice also that the w and h fields (width and height) aren’t the 320 x 50 aspect ratio of the banner ad in the app. VASTFLUX spoofs the size of the ads in addition to the publisher and the app.
The reassembled publisher and app IDs form components of the URLs for video ad player scripts:
VAST Player URL using C2 configuration values
Source: Satori Threat Intelligence and Research Team
Above, the VAST URL recombines the broken fields from the configuration object to spoof both a publisher ID and an app ID.
VASTFLUX also uses an alternative encryption, which provides a different way of instructing the ads on what to spoof:
Alternative configuration blob from C2
Source: Satori Threat Intelligence and Research Team
The URL looks like gibberish on its face, but if you look at the last portion of it and decode it using base64, it turns into this:
Decrypted configuration blob
Source: Satori Threat Intelligence and Research Team
These are parameters similar to the configuration above. The first part is a spoofed publisher ID, the second a geography and language setting, the third a spoofed app ID, and the fourth a spoofed screen resolution. It’s another way the VASTFLUX operators try to sneak through defenses by masking how they instruct the ads on how to spoof.
Finally, returning to the first configuration style, there’s one more dimension worth examining:
Decrypted configuration object served with the bad ad code
Source: Satori Threat Intelligence and Research Team
Remember geometry class and talking about three-dimensional objects? The x and y axes were the first two dimensions (width and height), and then when you needed to introduce depth, you added the z-axis.
That’s what’s happening here. The z-index, highlighted in red above, is an instruction of how “deep” the window for the video player in question will be. In the screenshot, there are three windows being triggered, each on top of each other. The window with the z-index of 0 will be visible to the user, while the windows with the z-indexes of -1 and -2 will be directly behind the visible window, rendering it completely invisible to the user.
This is how VASTFLUX can stack as many as 25 ads on top of one another, getting paid for all of them, but not actually showing any to the user.
Collection of iframes dropped by the bad ad code within the ad-placement, and obscured by a fake banner.
Source: Satori Threat Intelligence and Research Team
Above, a look at the web view of a series of ads stacked upon one another. If you examine closely, you’ll see the z-index values range from 0 to -13.
It doesn’t stop with the stacked ads, though. For as many of those as might be rendering on a user’s device at once, they keep loading new ads until the ad slot with the malicious ad code is closed. The URL of the VAST players are encoded in base64. When decoded, they show that each player has its own “playlist” of ads to cycle through, each with its own URL with tracking code attached:
List of ads rendered in invisible windows
Source: Satori Threat Intelligence and Research Team
It’s in this capacity that VASTFLUX behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with.
The configuration instructions received from the C2 often included publisher-specific items, which would adjust the tracking URLs of the VAST players to suit the fraudsters’ goals. For example, one item instructed the VAST URL to reflect a source of “OTT Video”:
Content of a publisher level configuration for interference on tracking URLs
Source: Satori Threat Intelligence and Research Team
The actors behind the VASTFLUX scheme clearly have an intimate understanding of the digital advertising ecosystem. The Satori team observed VASTFLUX evading ad verification tags:
Content of a block list applied to tracking URLs
Source: Satori Threat Intelligence and Research Team
The Satori team found VASTFLUX by digging deep into the data: while examining traffic to and from a frequently-misrepresented app in search of evidence for a different fraud scheme altogether, the team noticed that what they were expecting to see did not match what they were seeing. Only one app was running on the device in the Satori lab, but dozens of bid requests with varying app IDs were being recorded.
It’s a classic sign of app spoofing, and it was happening on the device every few seconds. From those first hijacked impressions, the Satori team reverse-engineered how the attack worked, uncovering obfuscated JavaScript and detailing all of the ad servers connected to the scheme.
From late June into July, HUMAN carried out three distinct mitigation responses to fight VASTFLUX. The first cut VASTFLUX traffic dramatically, but resulted in the bad actors adapting. The second, only a few days after the first, reduced VASTFLUX traffic to fewer than a billion requests a day: a 92% reduction from the operation’s peak. The third, about two weeks after the first response, further impaired VASTFLUX activity. We worked closely with our customers and partners in the Human Collective to get additional insight into traffic volumes and upstream demand profile to identify the sources of the attack.
We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud. This resulted in the bad actors going quiet and taking down the C2 servers that powered VASTFLUX. As of December 6th, bid requests associated with VASTFLUX, which reached a peak of 12 billion requests per day, are now at zero.
Additionally, HUMAN’s recent acquisition of clean.io enhances the Human Defense Platform’s capabilities. VASTFLUX included a malvertising tactic, injecting code into the ad slot. HUMAN’s malvertising protection stops attacks like VASTFLUX at the point of injection, before any publisher/app spoofing or ad stacking can take place.
While we’ve built protections into our Human Defense Platform and worked to get the C2s shut down, we cannot assume the actors behind VASTFLUX will simply go quietly into the night. Much as our recent Scylla investigation showed, if there’s money available to be stolen, they’re going to keep trying to find ways against every protection we’ve built. And as we’ve demonstrated above, the actors in this case are particularly sophisticated.
The Satori team is not only watching for continued adaptation, they’re also pursuing a number of leads that may offer new information about the attackers themselves. Our goal is to shut these attackers down for good, sharing details of their scheme with law enforcement agencies as we did in our earlier PARETO and Methbot investigations.
Perhaps one of the scariest—and most sophisticated aspects of VASTFLUX is how it targets the ad slots themselves. Earlier fraud schemes uncovered by the Satori team could be stymied by simply not allowing a collection of fraudulent apps to proliferate. But VASTFLUX goes directly after the ad slot, so apps that are perfectly legitimate may end up showing VASTFLUX-related ads.
As mentioned above, one key way bad actors try to stay under the radar of fraud detection is by targeting advertising environments that have intentional technical limitations and restrictions, like native in-app advertising on iOS. App developers can build with the OM SDK to support advertising verification and prevent the app experience from being visibly or invisibly hijacked by fraudsters like what happened with the VASTFLUX attack.
The actors behind VASTFLUX spoofed 1,700 apps to diversify their sellable inventory. Platforms should ensure the full suite of IAB Tech Lab supply chain transparency standards is enforced: app-ads.txt to identify who is allowed to sell inventory; sellers.json to reveal seller identities and SupplyChain Object to reveal and validate authorization to sell for all intermediaries.
The VASTFLUX operators further hid by selectively allowing only certain third-party advertising tags to run inside their hidden video player stacks. HUMAN recommends ad tech platforms prioritize tag evasion mitigation tactics with fraud detection partners to minimize this type of potential blind spot.
Users can help in the broader fight against fraud by paying close attention to how their devices behave. If any of the following begin happening, it may be a sign that something is awry:
VASTFLUX is down, but it’s certainly not the end of the story. We’ll be on the lookout for future adaptations and more clues as to the identities of the perpetrators. Sophisticated schemes, however, take a substantial amount of time to build. That time comes at a cost, and the scheme needs to recoup that cost before discovery and disruption, or the entire endeavor won’t have been worth it. That’s why HUMAN uses modern defense to uncover fraud schemes and build protections fast enough that fraudsters don’t profit enough to make back their costs. By disrupting the economics of cybercrime, like we did in the private takedown of VASTFLUX, it’s the only way to win the long game and keep the collectively protected programmatic advertising ecosystem fraud free.
DOMAIN NAMES of C2 |
analytichd.com |
bidderev.com |
bidderopt.com |
datahubserv.com |
giniechoserved.com |
hubspp.com |
servehb.com |
servepp.com |
servermlrn.com |
servinglabs.com |
servioum.com |
servomous.com |
servoror.com |
servrly.com |
servrpp.com |
trackingkey3.com |
trackservexo.com |
tredenel.com |
trktrk222.com |
intensebidmarket.com |
merthub.com |
servrly.com |