How a Single Ad Auction Netted Scammers Huge Profits

, , Leave a comment


How many times per day do you use your phone to get your mail, check the sports scores, get the weather, etc. And how often do you use mobile apps besieged with tons of digital ads trying to sell you everything from hamburgers to oil changes? You could be participating in a huge ad fraud scam without even knowing it.

One of the most prolific mobile ad fraud schemes ever uncovered is known as Vastflux. It first made the news in the summer of 2022, after a security expert investigating a separate threat stumbled across it. Researchers would later find out that Vastflux was sending out billions of advertising requests per day at its peak. The scam affected 11 million phones, 1,700 apps, and 120 ad publishers.

Amazingly enough, it all started with a single ad auction. The person or persons behind the scam went in quietly. They went in by the book, competing in a legitimate mobile ad auction and winning it.

Scammers Huge Profits

Silent Auctions in the Background

The ads you see while using your phone do not appear by chance. Advertisers bid for ad space based on criteria that fit their target audiences. As soon as you bring up a mobile app or visit a mobile website, a silent ad auction begins in the background. Winners are chosen and their ads are displayed on your phone.

All of this happens in the blink of an eye. It is all digitized and automated. Things move so quickly that you never notice it. But it’s there, in the background, every time you use your phone.

Scammers who specialize in digital ad fraud are intimately familiar with how the system works. They know how to exploit it without being caught. And when their actions are discovered, they know how to cover their tracks and move on before being identified. Such was the case with Vastflux.

Just Win One Auction

All the Vastflux scammers had to do was win one silent auction. Winning would give them an ad slot in that particular app. Then they would inject multiple tiny ads – too small to be seen, in fact – that were stacked on the legitimate ad they purchased. They would earn revenue for each and every stacked ad in the space.

What came next? Lather, rinse, repeat so to speak. They moved on and bid in another silent auction to get their foot in the door of another app. They continued to do this repeatedly until they had their ads in 1,700 apps.

They got away with it for so long because they went in cleanly and spread their efforts out over so many apps and ad publishers, rather than concentrating all their efforts in one place – which would have made their activities harder to conceal. No doubt they made millions from the scam.

Advertisers Were the Victims

The victims in all of this were the advertisers who spent millions of dollars collectively on ads that were not generating sales. This sort of thing is all too common, according to Fraud Blocker. As a company that specializes in Google click fraud prevention and monitoring, Fraud Blocker says most advertisers lack sufficient skill or knowledge to stop ad fraud on their own.

It took a security expert looking for some other threat to uncover Vastflux. That’s how it goes. Advertisers and publishers rely on security experts and fraud monitoring and prevention software to give them a fighting chance. And still, scammers like the team behind Vastflux manage to steal tens of billions of dollars annually. It is really an incredible thing.


Leave a Reply