Security News

Researchers have shut down an "Expansive" ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices. "VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views," fraud prevention firm HUMAN said.

A massive ad fraud operation dubbed 'Vastflux' that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN. The operation's name was derived from the VAST ad-serving template and the "Fast flux" evasion technique used to conceal malicious code by rapidly changing a large number of IP addresses and DNS records associated with a single domain. The research team at HUMAN discovered Vastflux while investigating a separate ad fraud scheme.

In this Help Net Security video, André Ferraz, CEO at Incognia, discusses the impact of location spoofing and location-based fraud. Any tool that enables users to alter the location information given by their device is known as location spoofing.

Bots continue to evolve and thrive at the expense of companies. Kasada's research shows revenue loss from bot-driven account fraud and web scraping continues to skyrocket, despite companies spending more on bot mitigation solutions every year.

A massive advertising fraud campaign using Google Ads and 'popunders' on adult sites is estimated to have generated millions of ad impressions on stolen articles, making the fraudsters an estimated $275k per month. The campaign was discovered by Malwarebytes, who reported it to Google and took it down for violating policies forbidding Google Ads on adult sites.

The Australian Federal Police have announced today that a 24-year-old woman from Melbourne, arrested in 2019 for her role in large-scale, cyber-enabled identity theft crimes, was sentenced to five years and six months in prison. According to the AFT, she was part of an international crime syndicate engaged in "Large-scale and sophisticated cybercrimes," stealing at least $3.3 million and laundering another $2.5 million.

Eight braggadocious social media influencers fond of posing next to sportscars are facing charges from the US Securities and Exchange Commission and Department of Justice, who claim they manipulated their 1.5 million followers in order to help themselves to $100 million in "Fraudulent profits." The suspects, all men in their twenties and thirties, were charged with conspiracy to commit securities fraud in connection with a long-running, social media-based "Pump and dump" scheme, a recently unsealed Texas federal grand jury indictment [PDF] and an SEC complaint [PDF] revealed.

While the world slides into a recession, the resulting increased debt, supply chain delays, and inflation create increased pressure on individuals to make ends meet. In this Help Net Security video, Ari Jacoby, CEO at Deduce, discusses how cybercriminals see times of downturn as an opening to exploit potential vulnerabilities.

Since the early stages of the pandemic, account takeover fraud has significantly transformed, quickly becoming one of the fastest-growing cybersecurity threats with 22% of adults in the US falling victim to this attack. With new user fraud, synthetic ID, IRSF and promo abuse increasing rapidly, the new avenues for account takeover have turned this scheme into a beast that feels unstoppable.

E-commerce fraud is expected to cost merchants in excess of US$48 billion globally in 2023, up from over $41 billion in 2022 according to Juniper Research. It predicted that this growth will be accelerated by increasing use of alternative payment methods, such as digital wallets and BNPL, which are creating new fraud risks.