Online advertising is big business. All over the world, publishers compete for websites, mobile apps, and any other online properties through which they can display their ads. With so much going on behind the scenes, online advertising is a hotbed of fraudulent activity. The recent discovery of a massive scam involving millions of phones gives a hint of just how pervasive the problem is.
The scam was discovered by a number of researchers at a cybersecurity company known as Human Security. Their specialty is ad and bot fraud. The researchers uncovered a sophisticated network involving 11 million phones, 1,700 mobile apps, and 120 and publishers. At one point, the scam was netting 12 billion ad requests per day.
Researchers were so surprised by what they uncovered that some of them had to run the numbers multiple times to be sure they were accurate. The numbers are truly staggering by any measure. The most amazing part is that the vast majority of phone users whose devices were targeted were none the wiser.
Taking Advantage of Inherent Weaknesses
Named Vastflux by security experts, the scam represented just one of many variations of a larger problem known as ad fraud. The experts at Fraud Blocker describe ad fraud as the practice of clicking on or displaying ads for malicious purposes. More often than not, it is done to drive advertising revenues. That was the case here.
Vastflux was perpetrated by operators who set up a fraudulent publishing network through which all sorts of PPC ads could be served. They took advantage of some of the inherit weaknesses of mobile apps and their interaction with ad servers. Interestingly enough, the perpetrators started out slowly and gradually built their attack over time.
They allegedly began by purchasing legitimate advertising slots on popular mobile apps. With every slot they won, they inserted malicious code into the original ad, code that would allow ad stacking. Stacked ads are automatically displayed whenever the original ad is displayed, thereby triggering fraudulent displays without actually being seen.
Scaling Up the Attack
The original attack was brilliant on multiple levels. First, it utilized popular mobile apps without phone users knowing. Second, the stacked ads disappeared along with the original ad, making the fraud harder to detect. It worked so well that the perpetrators gradually scaled up the attack to include ever more phones, mobile apps, and advertisers.
Their ability to scale only adds credence to the assertion that ignoring click fraud makes it worse. Unfortunately, far too many online advertisers consider a certain amount of click fraud acceptable. They plan for it a happen. They plan to lose a certain amount of money to it. But does that make sense?
It Makes Sense to Scammers
Actually, it makes perfect sense to scammers who go out of their way to construct increasingly sophisticated attacks. They are ramping up their level of sophistication to not only prevent being detected, but also frustrate advertisers in hopes that they will simply give up trying to fight it.
In the case of Vastflux, it is unclear how long the scam ran and how much money the perpetrators earned from it. But their profits could easily be in the millions. The beauty of it all, for the perpetrators at least, is that scamming the system doesn’t require a ton of effort. The hard part is setting up the original attack. But once it is running, they sit back and collect the profits.
Was your phone one of the 11 million targeted by Vastflux? If you don’t already know, chances are you never will.
