Pixalate today launched the AdFraud IOC-Database, the ad industry’s first open-source ad fraud intelligence resource. The AdFraud IOC-DB contains free, weekly-updated lists of the highest-risk ad fraud indicators of compromise (IOCs) on which Pixalate has observed invalid traffic (IVT).
The AdFraud IOC-DB reveals the top 50 IOCs observed across multiple supply-path touchpoints, including IP addresses (IPv4 and IPv6), device IDs, data centers, fraudulent Bundle IDs, MFA publishers, and delisted apps.
AdFraud IOC-DB is dedicated to helping combat the spread of ad fraud, invalid traffic, and abusive activity in the digital advertising supply chain.
By publicly releasing a free, weekly-updated feed of the highest-risk threat indicators, Pixalate aims to arm Small to Mid-sized publishers (SMBs) and the ad-tech community with the enterprise-grade intelligence needed to safeguard the digital supply chain.
“Cybersecurity relies on community and information sharing, but the ad tech sector still operates in silos,” said Jalal Nasir at Pixalate. “With AdFraud IOC-DB, we are breaking down those barriers. By identifying and sharing the highest risk threat vectors observed by Pixalate – from botnet IPs to spoofed Bundle IDs – we are empowering the ad-tech community to take immediate action against the bad actors draining the digital economy.”
Enterprise-Grade Intelligence, Publicly Available
AdFraud IOC-DB is powered by Pixalate’s MRC-accredited ad fraud detection engine, which analyzes 183 billion global data points daily. It filters this massive dataset down to the 50 most critical threats, allowing sysadmins to easily integrate high-risk blocklists without overwhelming their infrastructure.
IOC-DB Data Points
The IOC Database is based on Pixalate’s analysis of 183 billion global data points analyzed daily across 1.4+ billion IP addresses, 11.5+ billion CTV and mobile device IDs, 3.1+ million domains, 137K+ CTV apps, and 13.4+ million mobile apps to surface the highest-risk end-points across:
- High-Risk IPs: Monitor both IPv4 and IPv6 addresses associated with botnet command-and-control.
- Datacenters: Identify cloud service IPs that are generating non-human traffic patterns.
- Device Fraud: Examine CTV and mobile device IDs for patterns of IVT, including continuous-play abuse and device-spoofing signals.
- Fraudulent CTV Bundle IDs: Identify fraudulent CTV identifiers used in the programmatic bidstream.
- Delisted Apps: Monitor apps delisted from official stores but still generating impressions via programmatic supply paths.
- Made For Advertising (MFA): Analyze MFA publishers across websites, CTV apps, and mobile apps.
Pixalate’s MRC-accredited IVT detection system analyzes all data points for patterns of invalid traffic. High-risk end-points are added to Pixalate’s blocklists, and the AdFraud IOC-DB reveals the top 50 (based on ad volume) IOCs in a given category on a weekly basis.
AdFU IOC Categories
Researchers can query across 8 IOC categories, each containing ad fraud signals and infrastructure data:
| Category | Example IOC | Description | Available Data Fields |
| IPv4 | 150.136.126.249 | IPv4 addresses associated with high-risk activity | IPv4 identifier, Primary Ad Fraud Type, ISP |
| IPv6 | 2601:8c:4b7f:1ba0:c4a5:a3b:eae7:e32d | IPv6 addresses associated with high-risk activity | IPv6 identifier, Primary Ad Fraud Type, ISP |
| Data Center IP | 3.129.46.191 | Data center IPs that frequently source non-human traffic, including botnets and crawlers | Identifier, Primary Ad Fraud Type Observed, ISP |
| CTV Device ID | f562ff29-3b7a-4846-8535-f92e94b337f6 | CTV device IDs linked to high IVT volumes | Device ID, Primary Ad Fraud Type, Operating System |
| Mobile Device ID | e129f27c5103bc5cc44bcdf0a15e160d445066ff | Mobile device IDs linked to high IVT volumes | Device ID, Primary Ad Fraud Type, Operating System |
| Fraudulent CTV Bundle ID | 820731 | Fraudulent CTV Bundle IDs used in fraud or impersonation | Identifier, Platform Name, OS |
| Mobile Delisted App | happy.paint.coloring.color.number | Mobile apps delisted from stores but still active, generating ad impressions or indicating supply chain risks | App ID, App Name, Developer, OS |
| CTV Delisted App | 2016 | CTV apps delisted from stores but are still active, generating ad impressions or indicating supply chain risks | App ID, App Name, Developer, OS |
For more such updates, follow us on Google News Martech News
