VASTFLUX – Ad fraud scheme with 12 billion bid requests a day

At the end of 2022, a new advertising fraud scheme was uncovered and stopped: VASTFLUX.

The fraudsters managed to inject malicious code into ad slots, allowing them to inject multiple invisible video ads on top of each other hidden from the user.

This way, VASTFLUX was able to make more than 12 billion bid requests – every single day!

How VASTFLUX worked

The name VASTFLUX is composed of “fast flux” – a technique cybercriminals use to make it more difficult for law enforcement to take down their servers – and “VAST” – the Digital Video Ad Serving Template, developed by a working group within the Interactive Advertising Bureau (IAB).

The VASTFLUX scheme worked in 3 steps:

1. Once VASTFLUX won the bid-request for an ad, malicious JavaScript code was injected into the ad slot together with a static banner image.
2. The malicious code allowed the fraudsters to communicate with a command-and-control server and inject multiple video players behind the banner image. Several app and publisher IDs were spoofed during the injection of the video ads.
3. Injecting video ads hidden behind the banner image was not enough. VASTFLUX also refreshed the video ad slots automatically after a certain time, secretly displaying even more video ads not visible to the user.

If you want to have more detail on how the VASTFLUX scheme worked, you can take a look at the Wired article.

VASTFLUX took ad stacking to the next level

The most important thing to understand is that VASTFLUX did not rely on fraudulent apps or other malware. The fraudsters were very familiar with the digital advertising ecosystem, and the scam itself ran through completely legitimate apps on mostly iOS devices.

This was possible because VASTFLUX targeted the ad space directly, not the app or operating system.

The fraudsters were paid for each video impression, even though it was not visible to the user. Sometimes up to 25 video ads were injected into one ad slot.

At its peak, VASTFLUX spoofed more than 1,700 apps and 120 publishers and the scheme ran in apps on 11 million devices.

The financial damage caused by VASTFLUX is not yet known and is also being withheld due to the ongoing law enforcement investigation. But with 12 billion bid requests per day, VASTFLUX was the largest ad fraud scheme known to date.

Protect yourself from ad fraud

Scams like VASTFLUX are not uncommon. In our overview of the biggest ad fraud cases in recent years, we have gathered over 60 similar examples.

Advertisers lose billions of dollars every year to fraudsters who create fake websites, use bots for click fraud, or use advanced techniques like VASTFLUX.

Protect your advertising budget by using ad fraud detection and blocking software. fraud0 offers you a free 7-day trial to see for yourself. Sign up now!