Secure 2024: Forrester Wave™ Q2 2022 Showcases Leading Bot Management Solutions
HUMAN Blog

Traffic signals: The VASTFLUX Takedown

Investigators: Nico Agnese, Maor Elizen, Marion Habiby, Ryan Joye, Vikas Parthasarathy, Adam Sell, Mikhail Venkov

In this post:

  • HUMAN’s Satori Threat Intelligence and Research Team uncovered and took down a sophisticated ad fraud operation we’ve dubbed VASTFLUX. This private takedown of an expansive and complex threat embodies the power of modern defense and collective protection.
  • The name VASTFLUX is derived from the concept of “fast flux”, an evasion technique used by cybercriminals, and VAST, the Digital Video Ad Serving Template that was abused in this operation.
  • VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views.
  • At its peak, VASTFLUX accounted for more than 12 billion bid requests a day. More than 1,700 apps and 120 publishers were spoofed, and the scheme ran inside apps on nearly 11 million devices.
  • The fraudsters behind the VASTFLUX operation have an intimate understanding of the digital advertising ecosystem; they evaded ad verification tags, making it harder for this scheme to be found.


Introduction

Any good raconteur will tell you the best stories often happen when you’re not specifically looking for them. Such is the case with the Satori Threat Intelligence and Research Team’s latest takedown of a scheme we’ve dubbed VASTFLUX. The team came across unexpected web traffic patterns passing through a popular app, and while digging through that app, the Satori team uncovered a rabbit hole that got deeper and deeper the more they explored.

What the team pieced together was an expansive malvertising operation in which the bad actors injected JavaScript into ad creatives they issued, and then stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device.

The now-defunct VASTFLUX is an apparent adaptation of an earlier ad fraud scheme first reported in 2020. VASTFLUX evaded ad verification tags, deploying code that prevented detection of the scheme.

VASTFLUX was a very sophisticated scheme, exploiting the restricted in-app environments that run ads, particularly on iOS. More than 1,700 apps and 120 publishers were spoofed in the course of the operation, reaching a peak volume of 12 billion ad requests a day and impacting nearly 11 million devices.

VASTFLUX’s sophistication underscores a crucial element of collective protection: the more we in the industry work together, the harder cybercriminals will have to work to make any particular scheme stick for a meaningful amount of time. To that end, VASTFLUX was dismantled through the private collaborative efforts of HUMAN, its customers, and members of the Human Collective. The Satori team will continue to track the bad actors behind the scheme and watch for new schemes like VASTFLUX, and will share further information about the bad actors with the appropriate authorities.

Background

If you’re a typical user, you may think to yourself, “ads are ads. It doesn’t particularly matter how they got onto my phone or what I’m doing when they arrive; they’re just there.” But in the world of advertising technology, there are substantial differences in how and where ads are delivered: in general, ads that run within apps pass less information to verification providers than ads that run on pages visited within a web browser. That information gap is appealing to fraudsters: they may target advertising opportunities that run in these more restricted environments with the hope that it will take longer for their scheme to be spotted and stopped by companies like HUMAN. The actors behind the VASTFLUX operation knew this, and targeted not just in-app advertising, but in-app advertising on iOS, where the environment is especially strict due to Apple’s latest privacy policies.

The Satori team found VASTFLUX while investigating an iOS app that was heavily impacted by an app spoofing attack. While we could, at the time, see that the traffic wasn’t what it claimed to be, we didn’t see why until we ran the same app on a device inside our Satori lab. Once we did that, the VASTFLUX-associated traffic presented itself, allowing us to dig deeper into what was going on.

How It Worked


Step One: JavaScript Injection

The first step in the VASTFLUX operation is for a targeted app to reach out to its primary supply-side partner (SSP) network for a banner ad (a 320 x 50 banner) to be displayed within the app. Several demand-side partners (DSPs) place a bid for the ad slot. If the winning bid is VASTFLUX-connected, the purchasing/bidding ad server will place a static banner image in the slot and inject several scripts:

Obfuscated JS
Example of obfuscated JS extracted from a Javascript file
Source: Satori Threat Intelligence and Research Team

Step Two: C2 Instructions

The injected scripts decrypt the ad configurations (the above screenshot). These configurations include a static banner image to put in the ad slot, a single video ad player hidden behind the banner image, and a series of additional parameters for more stacked video players. The script then calls home to a command-and-control (C2) server for further information on what to place behind that static banner image.

Below, the Satori team has decrypted a configuration with C2 instructions:

Decrypted Configuration Object
Decrypted configuration object served with the bad ad code
Source: Satori Threat Intelligence and Research Team

The decrypted instructions here give a sense of how the most critical element of the fraud scheme actually works, but they still contain a hint of subterfuge. (Note: portions of screenshots throughout this report are redacted to preserve research leads for continued investigation.)

Two important parts of the instruction are broken in half and only reassembled later. Notice the “u”, “z”, “b”, and “n” fields in the screenshot above. When combined, the “u” and “z” fields make a publisher ID that the VASTFLUX apps spoof, and the “b” and “n” fields make an app ID that the VASTFLUX apps spoof. It’s a relatively subtle mechanism for hiding the fraudsters’ targets from cursory searches of their code. Notice also that the w and h fields (width and height) aren’t the 320 x 50 aspect ratio of the banner ad in the app. VASTFLUX spoofs the size of the ads in addition to the publisher and the app.

The reassembled publisher and app IDs form components of the URLs for video ad player scripts:

VAST Player URL
VAST Player URL using C2 configuration values
Source: Satori Threat Intelligence and Research Team

Above, the VAST URL recombines the broken fields from the configuration object to spoof both a publisher ID and an app ID.

VASTFLUX also uses an alternative encryption, which provides a different way of instructing the ads on what to spoof:

Alternative Configuration Blob
Alternative configuration blob from C2
Source: Satori Threat Intelligence and Research Team

The URL looks like gibberish on its face, but if you look at the last portion of it and decode it using base64, it turns into this:

Decrypted Configuration Blob
Decrypted configuration blob
Source: Satori Threat Intelligence and Research Team

These are parameters similar to the configuration above. The first part is a spoofed publisher ID, the second a geography and language setting, the third a spoofed app ID, and the fourth a spoofed screen resolution. It’s another way the VASTFLUX operators try to sneak through defenses by masking how they instruct the ads on how to spoof.

Finally, returning to the first configuration style, there’s one more dimension worth examining:

Z-Index Highlight
Decrypted configuration object served with the bad ad code
Source: Satori Threat Intelligence and Research Team

Remember geometry class and talking about three-dimensional objects? The x and y axes were the first two dimensions (width and height), and then when you needed to introduce depth, you added the z-axis.

That’s what’s happening here. The z-index, highlighted in red above, is an instruction of how “deep” the window for the video player in question will be. In the screenshot, there are three windows being triggered, each on top of each other. The window with the z-index of 0 will be visible to the user, while the windows with the z-indexes of -1 and -2 will be directly behind the visible window, rendering it completely invisible to the user.

This is how VASTFLUX can stack as many as 25 ads on top of one another, getting paid for all of them, but not actually showing any to the user.

iFrames
Collection of iframes dropped by the bad ad code within the ad-placement, and obscured by a fake banner.
Source: Satori Threat Intelligence and Research Team

Above, a look at the web view of a series of ads stacked upon one another. If you examine closely, you’ll see the z-index values range from 0 to -13.

Step Three: A Playlist of Ads

It doesn’t stop with the stacked ads, though. For as many of those as might be rendering on a user’s device at once, they keep loading new ads until the ad slot with the malicious ad code is closed. The URL of the VAST players are encoded in base64. When decoded, they show that each player has its own “playlist” of ads to cycle through, each with its own URL with tracking code attached:


List of ads rendered in invisible windows
Source: Satori Threat Intelligence and Research Team

It’s in this capacity that VASTFLUX behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with.

Step Four: Fraud Tracking Evasion

The configuration instructions received from the C2 often included publisher-specific items, which would adjust the tracking URLs of the VAST players to suit the fraudsters’ goals. For example, one item instructed the VAST URL to reflect a source of “OTT Video”:

Publisher Level Configuration
Content of a publisher level configuration for interference on tracking URLs
Source: Satori Threat Intelligence and Research Team

The actors behind the VASTFLUX scheme clearly have an intimate understanding of the digital advertising ecosystem. The Satori team observed VASTFLUX evading ad verification tags:

Blocklist
Content of a block list applied to tracking URLs
Source: Satori Threat Intelligence and Research Team

How We Responded


Defense

The Satori team found VASTFLUX by digging deep into the data: while examining traffic to and from a frequently-misrepresented app in search of evidence for a different fraud scheme altogether, the team noticed that what they were expecting to see did not match what they were seeing. Only one app was running on the device in the Satori lab, but dozens of bid requests with varying app IDs were being recorded.

It’s a classic sign of app spoofing, and it was happening on the device every few seconds. From those first hijacked impressions, the Satori team reverse-engineered how the attack worked, uncovering obfuscated JavaScript and detailing all of the ad servers connected to the scheme.

From late June into July, HUMAN carried out three distinct mitigation responses to fight VASTFLUX. The first cut VASTFLUX traffic dramatically, but resulted in the bad actors adapting. The second, only a few days after the first, reduced VASTFLUX traffic to fewer than a billion requests a day: a 92% reduction from the operation’s peak. The third, about two weeks after the first response, further impaired VASTFLUX activity. We worked closely with our customers and partners in the Human Collective to get additional insight into traffic volumes and upstream demand profile to identify the sources of the attack.

We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud. This resulted in the bad actors going quiet and taking down the C2 servers that powered VASTFLUX. As of December 6th, bid requests associated with VASTFLUX, which reached a peak of 12 billion requests per day, are now at zero.

Takedown Graph

Additionally, HUMAN’s recent acquisition of clean.io enhances the Human Defense Platform’s capabilities. VASTFLUX included a malvertising tactic, injecting code into the ad slot. HUMAN’s malvertising protection stops attacks like VASTFLUX at the point of injection, before any publisher/app spoofing or ad stacking can take place.

Offense

While we’ve built protections into our Human Defense Platform and worked to get the C2s shut down, we cannot assume the actors behind VASTFLUX will simply go quietly into the night. Much as our recent Scylla investigation showed, if there’s money available to be stolen, they’re going to keep trying to find ways against every protection we’ve built. And as we’ve demonstrated above, the actors in this case are particularly sophisticated.

The Satori team is not only watching for continued adaptation, they’re also pursuing a number of leads that may offer new information about the attackers themselves. Our goal is to shut these attackers down for good, sharing details of their scheme with law enforcement agencies as we did in our earlier PARETO and Methbot investigations.

What You Can Do

Perhaps one of the scariest—and most sophisticated aspects of VASTFLUX is how it targets the ad slots themselves. Earlier fraud schemes uncovered by the Satori team could be stymied by simply not allowing a collection of fraudulent apps to proliferate. But VASTFLUX goes directly after the ad slot, so apps that are perfectly legitimate may end up showing VASTFLUX-related ads.

App Developers: OM SDK

As mentioned above, one key way bad actors try to stay under the radar of fraud detection is by targeting advertising environments that have intentional technical limitations and restrictions, like native in-app advertising on iOS. App developers can build with the OM SDK to support advertising verification and prevent the app experience from being visibly or invisibly hijacked by fraudsters like what happened with the VASTFLUX attack.

Ad Platforms: Standards & Transparency

The actors behind VASTFLUX spoofed 1,700 apps to diversify their sellable inventory. Platforms should ensure the full suite of IAB Tech Lab supply chain transparency standards is enforced: app-ads.txt to identify who is allowed to sell inventory; sellers.json to reveal seller identities and SupplyChain Object to reveal and validate authorization to sell for all intermediaries.

The VASTFLUX operators further hid by selectively allowing only certain third-party advertising tags to run inside their hidden video player stacks. HUMAN recommends ad tech platforms prioritize tag evasion mitigation tactics with fraud detection partners to minimize this type of potential blind spot.

Users: Be Vigilant

Users can help in the broader fight against fraud by paying close attention to how their devices behave. If any of the following begin happening, it may be a sign that something is awry:

  • The device’s battery life degrades significantly in a short period of time. (Video ads consume more power than static or gif-based ads, and multiple hidden video players running video ads running at the same time will drain a battery rapidly.)
  • The device’s screen seems to turn on at unexpected times and without prompting, like in the middle of the night.
  • An app suddenly slows down the performance of the device.
  • Data use jumps dramatically from one day to the next.
  • An app crashes frequently and without warning.


Conclusion

VASTFLUX is down, but it’s certainly not the end of the story. We’ll be on the lookout for future adaptations and more clues as to the identities of the perpetrators. Sophisticated schemes, however, take a substantial amount of time to build. That time comes at a cost, and the scheme needs to recoup that cost before discovery and disruption, or the entire endeavor won’t have been worth it. That’s why HUMAN uses modern defense to uncover fraud schemes and build protections fast enough that fraudsters don’t profit enough to make back their costs. By disrupting the economics of cybercrime, like we did in the private takedown of VASTFLUX, it’s the only way to win the long game and keep the collectively protected programmatic advertising ecosystem fraud free.

IOCs

DOMAIN NAMES of C2
analytichd.com
bidderev.com
bidderopt.com
datahubserv.com
giniechoserved.com
hubspp.com
servehb.com
servepp.com
servermlrn.com
servinglabs.com
servioum.com
servomous.com
servoror.com
servrly.com
servrpp.com
trackingkey3.com
trackservexo.com
tredenel.com
trktrk222.com
intensebidmarket.com
merthub.com
servrly.com