Imagine a billboard on Sunset Boulevard. Before anything goes up, the billboard’s owner casts about looking for the highest bidder, touting all sorts of factors like how busy the road is at different times of day, what type of people are likely to drive by, and the size and unique features of the two-dimensional real estate. Ultimately, Bulgari wins the bid, and up goes a forty-foot image of Anne Hathaway and Zendaya.

Now imagine the billboard’s owner sold that same space not just to Bulgari, but also to Netflix, Apple, Disney, Hulu, Grey Goose, and a hundred other brands, each one convinced their creative will be the one displayed. All of them pay, but only one ad is shown.

In the physical world, such a scam wouldn’t last long – someone from one of the scammed brands would drive by, see another brand’s ad, and angrily demand their money back.

But in the digital world, where billions of ads are shown across billions of mini billboards, how can a brand know that they’re getting what they paid for? The answer is a painfully complex network of technology designed to capture ad “impressions,” with brands paying a tiny amount for each impression they make.

What if someone could “hack” this process, create thousands of fake impressions, and collect fees from advertisers who were deceived into thinking their ad had been shown?

A group of cybercriminals recently did just that.

A recent cyberattack on the online advertising ecosystem was recently uncovered by security researchers at Human Security, a cybersecurity firm. Called “Vastflux,” the attack resulted in millions of people being impacted and hundreds of companies being defrauded. The cybercriminals behind Vastflux (who have not yet been identified) were able to infiltrate and manipulate over 1,700 apps and target 120 publishers, resulting in over 11 million devices being affected. At the height of the attack, the perpetrators were making over 12 billion requests for ads per day, i.e., collecting fees from 12 billion “impressions,” when only a tiny fraction of those impressions were legitimate.

The attackers did this by covertly infiltrating and manipulating the digital advertising ecosystem to stack multiple ads on top of one another. Unwitting users would only see one ad, but the attackers got paid for each stacked ad, causing the device’s battery to drain faster. Unwitting brands would think someone saw their ad, but it never actually appeared – instead a kind of ghost code ran undetected in the background that tricked the website into believing the ad was shown, gobbling up battery life in the process.

The attack primarily targeted iOS devices, but Android devices were also affected. Companies such as Google have strict policies in place to prevent such attacks and have taken action in response to the discovery of Vastflux.

Mobile ad fraud can take many forms, such as stacking ads, creating phone farms, click farms, and SDK spoofing. For device owners, signs of ad fraud include a faster battery drain, unexpected increases in data usage or screens turning on at random. It’s important for companies and individuals to be aware of the potential risks and take steps to protect themselves from such attacks. This could include implementing security measures, monitoring for unusual activity and seeking legal recourse if necessary.