People who follow digital security news have likely heard of the amazing Vastflux scam discovered in early 2023. As for the rest of us, any mention of Vastflux might induce thoughts of an acid reflux medicine. Nonetheless, Vastflux is real. It is real to the tune of billions of dollars in advertiser losses. Its recent discovery sheds light on how easy ad fraud can be to perpetrate.
Ad fraud takes many forms. Its main purpose is to increase the charges assessed against advertisers by generating as many clicks, taps, or impressions as possible. Every associated action winds up as a charge to the advertiser. So the more actions fraudsters can generate, the more money they make.
A Vast Ad Fraud Empire
It is not exactly clear how long Vastflux had been operating when it was uncovered. What we do know is that it was a vast ad fraud empire capable of generating tens of billions of fake ad requests every day. At its peak, the scam impacted some 11 million mobile devices. Fraudsters had spoofed 1,700 apps and hit 120 publishers.
The fascinating thing is that average cell phone users were part of the scam and didn’t even know it. Just by doing what they normally do on their phones, they helped the scammers generate hundreds of millions, if not billions in fraudulent ad revenues. Somebody out there got filthy rich by taking advantage of mobile platforms and their inherent weaknesses.
Ad Stacking Was the Game
As previously noted, ad fraud takes many forms. In this particular case, ad stacking was the game. It was implemented in such an ingenious way that the scam was only uncovered by security experts investigating a separate threat. In essence, they stumbled across Vastflux while looking into something else.
Fraud Blocker is an IT security company that specializes in ad fraud prevention. They make an ad fraud software package by the same name. They say that ad stacking is a simple but effective way to steal from advertisers. Utilizing it involves creating tiny ads that cannot be seen by the naked eye.
In a mobile environment, advertisers can be charged for impressions rather than actual clicks or taps. This is to say that every time an ad is displayed in a mobile app or on a mobile website, the advertiser is charged. Vastflux perpetrators took advantage of this by purchasing legitimate ad slots through routine auctions.
With ad space secured, they injected code into a real ad to stack other ads under it. All these additional ads were too small to be seen. Nonetheless, every display of the legitimate ad also meant the stacked ads were displayed. They all resulted in charges to their respective advertisers.
It Works on Standard Websites, Too
Ad stacking is attractive to fraudsters working mobile platforms because screen sizes and clumsy fingers make for profitable ventures. But the practice can be implemented through standard websites, too. It is based on the same principle. You create a legitimate ad and then stack other ads underneath it. When the original ad gets clicked, they all get clicked.
To make this work, a fraudster needs to give the impression that he is a legitimate publisher. He needs to convince advertisers to publish their ads through him. Unfortunately, it is surprisingly easy to do. Many of the online transactions in the digital ad space take place without human beings ever needing to interact with one another. Everything is done through websites and apps. In the end, ad fraud works because it is so easy to implement.
